Password and two-factor auth
Change your password, enable TOTP-based 2FA, save your recovery codes.
Two security knobs on your account: your password, and optional two-factor authentication.
Changing your password
Profile → Update Password. Three fields:
- Current password — proves it's you.
- New password — minimum 8 characters. No special-character rule; a long passphrase is better than
P@$$w0rd1!. - Confirm new password — same as the new password.
Click Save. Your active sessions on this account stay logged in; the change applies to next sign-in.
Two-factor authentication
Profile → Two factor authentication → Enable. Three steps:
- Scan the QR code with any TOTP app: Google Authenticator, 1Password, Authy, Bitwarden, Yubikey OTP — they all work.
- Enter a 6-digit code from the app to confirm the setup.
- Save the 8 recovery codes that appear. Each is single-use; print them or save in a password manager. They're the only way to recover access if you lose the authenticator.
Once enabled, every sign-in asks for your TOTP code after your password. Existing sessions are not invalidated; only fresh sign-ins challenge.
Losing your authenticator
Use one of your recovery codes at the 2FA prompt. The code is consumed; regenerate new codes after signing in.
If you've also lost the recovery codes (e.g. lost the phone with the password manager that had everything), contact support with proof of identity — we can disable 2FA after we verify you. There's no self-service "reset 2FA" option, deliberately.
Disabling 2FA
Profile → Two factor authentication → Disable. Confirm with your password. 2FA is off; you can re-enable later with a new QR code (different secret, new recovery codes).
When to enable
Always, on any account that has Owner or Admin role in a workspace. The cost is one extra step at sign-in; the benefit is that a phished password isn't enough to take over your account.
Agent-only accounts can skip 2FA if the additional friction matters to your team — but we'd still nudge it on.