Security
Harden your account with passkeys and MFA, audit every active session, and know the five ways back in if everything else fails.
Passkeys
Passkeys are the recommended way to sign in — phishing-resistant, nothing to remember, one tap with your device's biometrics or screen lock. From your security settings you can:
- Add a passkey on each device you sign in from. The platform also offers to enroll one after sign-in if you have none yet.
- Review your passkeys and remove any tied to a device you no longer own.
Keep at least two passkeys (for example, laptop and phone) so losing one device never locks you out.
Two-factor authentication
MFA adds a second factor on top of your password: a 6-digit code from an authenticator app. Once enabled, sign-ins prompt for the code, with the option to Trust this device for 30 days on machines you control. Sensitive account actions can also require a fresh second-factor check even mid-session — that is deliberate.
Active sessions
The sessions list shows every device currently signed in to your account. Review it periodically and whenever something feels off:
Open your sessions
In security settings, open the active sessions list. Each entry shows the device and session details.
Revoke what you do not recognize
Revoke any session you do not recognize or no longer use — a borrowed laptop, an old phone. Revoking signs that device out immediately. Revoking a session is a protected action and may ask you to re-verify before it completes.
If something looked wrong
After revoking an unknown session, rotate your credentials: change your password if you use one, and check your passkeys and MFA are intact.
The five recovery methods
If you lose access, five independent recovery routes exist. Open Can't sign in? on the sign-in page to start.
Set up recovery before you need it
Generate recovery codes and add a second passkey now, while you have access. Every recovery method except concierge depends on something you prepared in advance.