Two-factor authentication (2FA, sometimes called MFA) means signing in needs your password plus a code from your phone. A leaked password alone won’t let anyone reach your project files, billing, or messages.
Who needs it. Staff (anyone on our admin tools) is required to enroll — the dashboard refuses to load otherwise. Customer accounts are strongly recommended but not required; we surface the prompt on your Account page.
How to enroll.
- Open your Account page in the dashboard, or visit our hosted account profile directly.
- Pick Security, then Add two-factor authentication.
- Use any authenticator app — 1Password, Authy, Google Authenticator, Microsoft Authenticator. Scan the QR code; the app starts generating six-digit codes.
- Type the current code back into the dialog to confirm.
- Generate backup codes and save them somewhere recoverable (a password manager, a printed copy in your safe).
That’s it. Next sign-in, after your password, the dashboard asks for the current code.
If you lose your phone. This is what the backup codes are for. Sign in with your password, then enter one of the backup codes when prompted. Each code works once — generate fresh ones from the Security page after you recover your phone.
If you’ve lost both your phone and your backup codes, message support — we’ll verify your identity through your billing details and reset your second factor by hand. Allow a business day; we won’t rush a reset because the whole point of the second factor is making impersonation hard.
Why we recommend it so strongly. Most account takeovers start with a leaked password from somewhere else (an old data breach, a phishing site that looked legit). The second factor stops the attacker even if they have your password. Setup takes about a minute. Recovery is straightforward as long as you keep the backup codes.