Security — password, MFA, and session management

Your account security lives under Settings → Security. Authentication is Clerk-backed, which means industry-standard password hashing, MFA, session management, and email-alert primitives are all wired in — you just flip them on.

Change your password

1. Go to Settings → Security
2. Click Change Password
3. Enter your current password and a new one
4. All other sessions are invalidated automatically

Enable MFA (recommended)

1. Settings → Security → Two-Factor Authentication
2. Click Add Authenticator App
3. Scan the QR code with Google Authenticator, 1Password, Authy, or any TOTP app
4. Enter the 6-digit code to confirm
5. Download and save your backup codes in a password manager

Supported MFA methods

• TOTP authenticator apps (recommended — works offline)
• Backup codes (one-time-use, for when you lose the authenticator)
• SMS fallback (less secure; disable if possible)

Session management

Settings → Security → Active Sessions lists every device signed into your account with last-seen timestamp, location, and browser. Sign out any single device, or Sign Out All Devices to invalidate everything except the current session.

New-device alerts

You get an email every time your account signs in from a new device or IP. If you see one you don't recognize, sign out all devices and rotate your password immediately.

Forgotten password

Go to /forgot-password, enter your email, and click the link in the reset email. If you don't receive the email within 2 minutes, check spam or ping support.