Security and 2FA
The security settings help you protect and audit access to your account. They live under Settings, in the Security section, split into three tabs: two-factor authentication, sessions, and activity.
Quick overview
- Turn on two-factor authentication and save your backup codes.
- Review the sessions tab and sign out any device you do not recognize.
- Check the activity tab for anything unexpected, filtered by action type.
Changing your password lives one section over, under Account, and is covered below because it is part of keeping the account safe.
Two-factor authentication
Two-factor authentication (2FA) requires a 6-digit code from an authenticator app in addition to your password at sign-in. A badge on the tab shows whether it is currently on or off.
Turning it on
| Step | Detail |
|---|---|
| 1. Confirm password | Re-enter your current password to start. A wrong password stops here with an error; nothing is enabled yet. |
| 2. Add the app | A manual setup key is shown for you to add to any authenticator app that supports TOTP codes (Google Authenticator, 1Password, and similar). There is no QR code, entry is by typing or pasting the key. |
| 3. Save backup codes | A set of one-time backup codes appears alongside the setup key. Store them somewhere safe: each one signs you in exactly once if you lose access to your authenticator app. |
| 4. Verify | Enter the 6-digit code your app generates, then press Verify and enable. The button stays disabled until all 6 digits are entered. |
Once verified, 2FA is active immediately, and every sign-in from then on asks for a code after your password, on its own step once your password is accepted.
Managing it afterward
| Action | Requires | Detail |
|---|---|---|
| Regenerate backup codes | Your password only, no 2FA code | Issues a fresh set of codes and immediately invalidates the old ones. Do this if you have used most of your codes or think they leaked. The new codes are shown once, in their own step, after you enter your password. |
| Disable | Your password | Turns 2FA off; future sign-ins go back to password only. The button is styled as a destructive action. |
A rejected code is usually a clock problem
TOTP codes are time-based. If verification keeps failing with a code you are sure is current, check that your phone or authenticator app's clock is accurate; a drift of more than about 30 to 60 seconds is enough to make otherwise-correct codes fail.
Backup codes appear before 2FA finishes turning on
During setup, your backup codes are generated and shown together with the setup key, before you enter a verifying code. If you close the dialog at that point without verifying, 2FA is not actually enabled yet, so treat those codes as provisional until you complete step 4.
If you forget your password entirely rather than losing your 2FA device, use Forgot password on the sign-in screen instead; see Sign up and sign in.
Sessions
Every device currently signed in to your account, one row per session.
| Column | What it shows |
|---|---|
| Device | Browser and operating system, parsed from the session's own user agent string (for example "Chrome, Windows"). An unrecognized combination falls back to a generic label rather than showing nothing. Your current session carries a "this device" tag. |
| IP | The IP address the session was created from, or a dash if none was recorded. |
| Action | A Sign out link on every row except the one you are using right now. |
The search box filters by device label or IP as you type. Once you have more than one active session, a Sign out of other devices button appears above the table and revokes every session except your current one in one action; it is hidden entirely if you only have one session.
A session is a signed-in browser, not a device
Two browsers on the same computer, or a browser and its private window, count as two separate sessions here. Each needs its own sign-out.
Unlike the activity log below, session rows are not sortable, only searchable; with typically only a handful of active sessions, that trade-off keeps the row simple. While your sessions are loading, placeholder rows show instead of an empty table, then either your real sessions or an empty state appear.
Activity log
A searchable, filterable audit trail of events on your account, loaded 50 rows at a time.
| Event | Notes |
|---|---|
| Sign-in | Shown with the device and location it came from, right below the entry |
| Design deleted, restored, or permanently deleted | One entry per action, from anywhere in your workspace |
| Media (asset) restored, or permanently deleted | One entry per action |
| Control | Behavior |
|---|---|
| Filter | A dropdown scoped to all actions, sign-ins, design deletion, design restoration, or media restoration. Permanent-deletion events are not a filter option on their own, but still show up in the unfiltered list and match search. |
| Search | Matches the action, device, and IP of the rows already loaded, not the full history at once. |
| Time | A relative timestamp (such as "5 minutes ago" or "yesterday"); click the column header to sort oldest or newest first. |
| Load more | Fetches the next 50 rows; the button disappears once nothing more is left to load. |
Each row also carries a small type badge (the first part of the action, such as "auth", "design", or "asset") so you can scan categories at a glance. An empty state explains that sign-ins and account actions will show up here once there are any.
How to use it
Turn on two-factor authentication and save your backup codes
- Open Settings and choose Security, then the Two-factor authentication tab. The badge on the panel reads "Off" while it is disabled.
- Press Enable. In the dialog, type your current password and press Continue.
- The next step shows a setup key and your backup codes together. In your authenticator app, add a new account by pasting the setup key (there is no QR code to scan).
- Copy the backup codes somewhere safe before going further. Each code works once and is your way back in if you lose your phone.
- Type the 6-digit code your app is now showing into the boxes, then press Verify and enable. The badge flips to "On" and 2FA is live from your next sign-in.
Spot a session you do not recognize and sign it out
- Open Settings, then Security, then the Sessions tab.
- Scan the Device and IP columns. Your own browser is tagged "this device" and has no Sign out link.
- If a row looks unfamiliar (a browser or location you never use), press its Sign out link. That session is revoked immediately and drops off the list.
- If more than one session looks wrong, or you just want a clean slate, press Sign out of other devices above the table to revoke everything except the browser you are in.
- As a follow-up, change your password (below) so the intruder's credentials stop working, and turn on 2FA if it is not already on.
Change your password so it also signs you out everywhere else
- Open Settings and choose Account (not Security), then press Change password.
- Enter your current password and a new one of at least 8 characters, then confirm.
- On success every other session is revoked automatically, so any device that had you signed in is logged out. A wrong current password is reported and nothing changes.
Narrow the activity log to just sign-ins
- Open Settings, then Security, then the Activity tab.
- Use the filter dropdown at the top and choose Sign-ins. Each sign-in row shows the device and IP it came from underneath.
- Sort by clicking the Time column header to flip between newest-first and oldest-first, and press Load more to pull older rows in batches of 50.
Common tasks
- Refresh your backup codes: Security, Two-factor authentication tab, Regenerate backup codes, enter your password. The old set stops working the moment the new one appears.
- Sign out one device only: Security, Sessions tab, the Sign out link on that row.
- Sign out every other device at once: Security, Sessions tab, Sign out of other devices.
- Turn 2FA off: Security, Two-factor authentication tab, Disable, enter your password.
Troubleshooting
| Problem | What is happening and what to do |
|---|---|
| The 6-digit code is rejected during setup or sign-in | Almost always a clock drift on the phone. Enable automatic time on the device, wait for the next code, and try again. |
| You lost your backup codes but still have your authenticator app | Sign in as usual, then in Security regenerate a fresh set. Old codes stop working, so store the new ones. |
| You lost both the app and the codes | Backup codes are the only self-serve fallback for a lost device. Without either, use Forgot password to regain the account, then re-set 2FA. |
| There is no Sign out link on one row | That row is your current browser, tagged "this device". You cannot revoke the session you are actively using; sign out normally instead. |
| "Sign out of other devices" is missing | It only appears when you have more than one active session. With a single session there is nothing else to revoke. |
| Regenerating backup codes asks for a password, not a 2FA code | That is expected. Regenerating and disabling both verify with your password, while enabling verifies with a code from the app. |
Turn on two-factor authentication
Two-factor authentication is the single biggest thing you can do to protect your account, and it only takes a minute to set up.