Dual control (two-person approval)
Require a second administrator's approval before your account's most destructive actions run. The "four-eyes" principle, applied to your data.
Dual control (also known as two-person approval or the "four-eyes" principle) is a security option you can enable on your account so that the most dangerous actions don't run instantly: instead, they wait until a different second administrator approves them. That way, no single person on their own can destroy critical data.
What it is
Dual control introduces a second pair of eyes into irreversible decisions. When it's active, requesting a destructive action doesn't carry it out immediately: it creates a pending approval request and notifies the other administrators. The action only runs once another administrator reviews and approves it.
It's a segregation of duties control: it separates whoever initiates an action from whoever authorizes it. This way, a slip-up, a compromised credential, or one person's hasty decision are not enough to cause irreparable loss.
Which actions it protects
Dual control applies only to the highest-impact operations, the ones that can mean permanent data loss:
- Delete a bucket: remove an entire bucket.
- Permanently purge a bucket: the irreversible wipe that removes its content with no possibility of recovery.
- Disable a bucket's Legal Hold: lift the lock that keeps a bucket frozen for legal or compliance reasons.
Day-to-day operations—uploading and downloading objects, creating buckets, managing access keys—are unaffected and keep working normally. Dual control is reserved for what truly has no way back.
How it works
- Request: an administrator starts one of the protected actions. Instead of running, it is recorded as a pending request.
- Approval: a second administrator reviews it and decides whether to approve or reject it.
- Execution: only after that second administrator approves does the action run.
Pending requests expire automatically after 7 days if no one approves them, so that no authorizations are left "hanging" indefinitely. If a request expires, you simply start it again when appropriate.
The requester cannot approve their own request
The core rule is simple and admits no exceptions: the administrator who requests an action can never approve their own request. Approval must always come from a different person with administration permissions.
There is no emergency mechanism to bypass this control: no "break-glass," no shortcuts. That rigidity is deliberate, because it's exactly what makes dual control a genuine safeguard against mistakes and abuse.
Requirements to enable it
- The account owner enables it: it is entirely optional (opt-in). If you don't need it, your account works exactly as before.
- The account must have at least two administrators. Without a second administrator there would be no one to approve requests, so it's a requirement for enabling it.
Traceability and auditing
The whole cycle is reflected in the account's audit log: who requested each action, who approved or rejected it, and when it happened. You get a complete, verifiable trail of every decision about critical data, ready for internal reviews or external audits.
Fit with compliance
Dual control implements a control that's standard in enterprise compliance frameworks: segregation of duties and change management. It's exactly the kind of safeguard expected by standards such as SOC 2 or ISO 27001, which value having high-risk operations require more than one person.
If your organization needs to show auditors that no one can destroy information on their own, dual control provides both the control and the evidence to prove it.
Defense in depth
Dual control doesn't replace your other protections: it complements them. While the trash (OtterTrash) lets you recover deleted buckets during a grace period, dual control acts earlier, preventing a dangerous deletion from running at all without a second sign-off.
Combined with versioning, Object Lock, and Legal Hold, dual control adds one more layer to a defense-in-depth strategy: several independent barriers that, together, make it far harder to lose data by mistake or through abuse.
How to enable it
The account owner manages dual control from the web console:
- Make sure the account has at least two administrators.
- Sign in to the console and open the account's security settings.
- Enable dual control. From that point on, destructive actions will require a second administrator's approval.
For more details on protecting your data, see the security guide or the rest of the documentation.
Ready to try it out?
Create your account and protect your data in minutes.
