Account security
Updated on July 8, 2026
Your account holds your company's time entries and employment data, so it deserves more than just a password. Everything in this guide is done from your profile menu: Security and 2-step verification, Active sessions and Change password.
Two-step verification
With two-step verification, after entering your password we'll ask you for a one-time code. You can choose between two methods:
- Authenticator app (TOTP): 6-digit codes that change every 30 seconds, generated by Google Authenticator, Authy, 1Password or any compatible app. This is the recommended method: it works without signal or email.
- Email code: on every sign-in we send a 6-digit code to your inbox, valid for 10 minutes.
Enabling the authenticator app method
- Go to Security and 2-step verification from your profile.
- Choose the authenticator app option. You'll see a QR code and, if you can't scan it, the secret key to enter by hand.
- Scan the QR with your app and type in the 6-digit code it shows to confirm activation.
- Save the recovery codes displayed next.
Until you confirm the code, verification stays pending and your sign-in keeps working with just your password. If you change your mind at that point, you can simply cancel it.
Enabling the email method
It's a single click on the same screen: no prior confirmation is required, and you also receive your recovery codes when enabling it.
Recovery codes
When you enable either method, 10 recovery codes in xxxx-xxxx format
are generated. Each one is good for a single sign-in if you lose your
phone or access to your email: on the code screen, use the recovery code
option.
The codes are shown only once, at the moment they're generated; they're stored encrypted and can't be viewed again. Write them down in a password manager or print them. If you lose them, you can regenerate them from the same screen (the old ones stop working).
Disabling verification
From the same screen, by entering your current password. Disabling it also deletes the secret and the recovery codes.
Active sessions and remote sign-out
Active sessions shows every session open with your account, sorted by last activity, with the current session highlighted. From there you can:
- Sign out of a specific session (any except the one you're using): handy if you left your account open on a shared computer.
- Sign out of all other sessions at once, confirming with your current password. The session you do it from stays alive.
Sessions that expire due to inactivity disappear from the list on their own.
Changing your password
- Go to Change password from your profile.
- Enter your current password and the new one twice. The new one must be at least 8 characters long and different from the current one.
- On save, for security all your other sessions are signed out (the current one stays) and you receive a notification email in your language.
The change is recorded in your company's audit history. If you receive the notification email without having changed the password yourself, reset it immediately and check your Active sessions.
If you can't remember your password, use the recovery link on the sign-in screen: we'll send you an email to reset it.
Automatic access protections
On top of what you configure, the platform applies these defences out of the box:
| Protection | How it works |
|---|---|
| Login attempt limit | A maximum of 5 attempts per minute per email-and-IP combination; an attacker can't lock you out from another IP, and an office with a shared IP won't use up everyone's quota. |
| 2-step code limit | After 5 failed codes, you have to wait before retrying. |
| Public form limit | Sign-up and password recovery allow 10 submissions per minute per IP. |
| Captcha | Invisible reCAPTCHA v3 on login, sign-up and password recovery; only if the score is low does the v2 verification checkbox appear. |
Next steps
- If you've just created your account, review the getting started guide.
- Administrators manage team onboarding and offboarding in Employees.
Can't find what you're looking for?
Message us on the support chat and we'll help you directly.