Two-factor authentication

Time-based one-time passcode (TOTP) support and recovery codes are on the roadmap. We'll email every account before turning it on so you can opt in cleanly.

In the meantime your account is protected by your password and session-refresh tokens. We invalidate every active session on password change — so a leaked password can be revoked instantly via account → security.