Managing Account Security

Every security tool lives on your profile page under the Security tab:

1. Click your avatar in the top-right → Profile
2. Switch to the Security tab

Changes to any of these require a fresh 6-digit code from your authenticator (or a recovery code) — even if you signed in minutes ago. This is by design and can't be skipped; it's what stops someone with a stolen session cookie from silently rewriting your credentials.

Change your password

On the Password card, click Change password. Enter your current password, then your new one twice.

Your new password must be:

• At least 12 characters
• A mix of upper, lower, digit, and symbol
• Different from your current password
• Not a common password, and not containing your email
• No leading or trailing whitespace

When you save, every other browser on your account is signed out, every "Remember this browser" trust is revoked, and a notification email fires. You'll need to sign back in here with your new password.

Replace your authenticator app

On the Authenticator app card, click Replace authenticator.

1. Scan the new QR code with your authenticator app (Google Authenticator, 1Password, Authy, Microsoft Authenticator, Bitwarden — any RFC 6238 app)
2. Enter the 6-digit code your app now shows to confirm
3. Delete the old entry from your app once the new one works

Your old TOTP secret stops working the moment you confirm the new code. If you accidentally confirm before you've successfully scanned in a working app, you're locked out of 2FA — use Recovery codes or the "Lost access to your authenticator" flow on the login page to recover.

Regenerate recovery codes

On the Recovery codes card, click Regenerate recovery codes. Confirm the dialog.

• Your existing 10 codes are invalidated immediately
• 10 new codes are shown once — save them to a password manager, a secure note, or print them
• You won't see the new codes again after closing the sheet

If you ever use a recovery code to sign in, you'll see a notice on your profile suggesting you regenerate — running out is dangerous, and using one means a code leaked or got misplaced.

Trusted browsers

On the Trusted browsers card, review the list of browsers where you've checked "Remember this browser for 30 days" at sign-in.

Each entry shows:

• The browser/device user-agent
• The IP address that was used to trust it
• When it was last used and when the trust expires

Revoke anything you don't recognize. Revoking a trusted browser doesn't sign that browser out — it just means the next sign-in from there will require the 6-digit 2FA code again.

• Revoke button per row — removes one.
• Revoke all other devices — keeps your current browser trusted, removes every other.

Active sessions

On the Active sessions card, click Sign out all other sessions to log yourself out of every other browser and device. This browser stays signed in.

Different from trusted browsers: trust controls 2FA-skip cookies; sessions control who's actually authenticated right now. Sign-out-others is the right tool when you want to boot someone who's currently signed in; revoke-trust is right when you want to force 2FA on the next sign-in.

Recent sign-ins

On the Recent sign-ins card, review the last 30 sign-in attempts on your account — successes and failures. Filter with the All / Successes / Failures buttons.

Each entry shows:

• Timestamp
• Outcome (success, wrong password, wrong 2FA, rate-limited)
• Method (password, magic link, MFA reset)
• IP address and user-agent
• Whether a trusted browser skipped the 2FA prompt, whether TOTP was used, whether a recovery code was consumed

This is the first place to look if you receive a sign-in notification you didn't trigger. The history is retained for 90 days.

What if I lose access?

• Lost password, still have authenticator: use Forgot password? on the sign-in page. We email a 6-digit code to your account email; you enter that plus a code from your authenticator (or a recovery code) and pick a new password.
• Lost authenticator, still have password: use Lost access to your authenticator? on the sign-in page. We email a 6-digit code to your security notifications email (that's why it's worth setting one up). You re-enroll a new authenticator after verifying.
• Lost both: reply to any security notification email you've received, or email the address on your invoice — we'll help you recover the account after verifying you.