account

Account security

ESSENTIALEstimated read: 8 min· Updated 2026-06-02

Account security

EssentialAny user

The Security tab in the Account Hub is where you manage your password, your multi-factor methods (authenticator apps, hardware keys, passkeys, recovery codes), and your active sessions. The same surface lets you turn on sign-in alerts and sign out everywhere if you suspect anything's wrong. Every change here is recorded in your personal audit feed, so you and your workspace's admins always have a clean record of who did what to your account.

TL;DR — Open the avatar menu → Account → Security. From here: change your password, add a passkey or hardware key, view active sessions, generate recovery codes, sign out everywhere. Last-factor protection makes it hard to lock yourself out accidentally.

Change your password

If your workspace allows password sign-in, you can rotate at any time. Some workspaces are SSO-only and the password section is hidden.

  1. Open Account → Security → Password

    The card shows the date of your last password change.

  2. Click "Change password"

    A drawer asks for your current password and the new one.

  3. Enter the current password

    Required even if you don't remember a recent sign-in — the form is a guard against drive-by changes from an open tab.

  4. Enter the new password twice

    The form shows the workspace's password policy and validates in real time.

  5. Sign-out-everywhere prompt

    After save, the form asks whether to invalidate every other active session. Confirm if you're rotating because of suspected compromise.

Multi-factor methods

Every workspace can have its own MFA policy (see Multi-factor authentication policy). Within those constraints, you manage the actual devices and codes here.

Authenticator apps (TOTP)

  1. Click "Add authenticator app"

    A drawer shows a QR code and the seed string.

  2. Scan with your authenticator

    1Password, Authy, Microsoft Authenticator, Google Authenticator, Bitwarden — any TOTP-compliant app works.

  3. Enter the 6-digit code

    Confirms the seed is registered correctly.

  4. Optional: label the device

    Auto-named from the UA hint ("iPhone 15", "1Password — Mac"). Override if you have multiple devices and want clearer names.

Passkeys & hardware keys

  1. Click "Add passkey or hardware key"

    The browser surfaces the native authenticator picker.

  2. Pick the authenticator

    Face ID, Touch ID, Windows Hello, the device PIN, a YubiKey, a Titan key, your password manager's passkey vault — anything the browser knows about and your workspace's attestation policy allows.

  3. Complete the local verification

    Biometric / PIN / tap. The passkey is registered and labeled from its AAGUID family.

Recovery codes

A batch of single-use codes you can redeem instead of a factor if you lose every other one. Treat them like cash.

  1. Click "Generate recovery codes"

    A drawer reveals the 10 codes once.

  2. Save the codes in a password manager

    Once you close the drawer, the codes are not retrievable.

  3. Each code is single-use

    When you redeem one, the row is marked spent. Regenerate the batch after using one.

Last-factor protection

AxisSynapse refuses to remove your last factor if your workspace requires MFA. The form names the policy and disables the remove button — you have to enroll a replacement first. The same guard applies to recovery codes; you can't disable MFA entirely if it's your only factor remaining.

Active sessions

Every signed-in device on your account is listed with the chrome detail (browser, OS), last-seen timestamp, and IP-derived country. Sessions heartbeat every few minutes.

  1. Click "Sessions"

    A list of every active session for your account.

  2. Revoke a specific session

    Click Revoke on any row. That device is signed out immediately and asked to sign in again.

  3. Click "Sign out everywhere"

    Revokes every session except the one you're in right now. Use after a lost device or any suspicious activity.

Sign-in alerts

Turn on to receive an email or push whenever a new device or country signs in to your account.

FieldWhat it doesAccepted values / default
New deviceAlert when a device signs in that hasn't been seen on your account before.On by default.
New countryAlert when a sign-in succeeds from a country your account hasn't been seen in before.On by default.
Failed sign-inAlert when a sign-in attempt with your email fails.Off by default. Turn on if you suspect a brute-force is targeting you.

Every field, explained

FieldWhat it doesAccepted values / default
Current passwordGuard for password change.Required even after recent sign-in.
New passwordYour new password.Must meet workspace policy. Form validates live.
Authenticator labelDisplay name for an enrolled TOTP / passkey / hardware key.Up to 60 characters. Auto-named from UA hint or AAGUID family.
Sign-out everywhere (post-change)Whether the password change invalidates other sessions.Recommended on suspected compromise; opt-in otherwise.
Recovery code batchA set of 10 single-use codes.Shown ONCE. Save immediately; regenerate after redeeming one.
Session rowOne row per active session.Browser + OS + IP country + last heartbeat.
Sign-in alertsToggles for new-device / new-country / failed-sign-in alerts.New device + new country on by default; failed-sign-in opt-in.

What appears in the audit log

ACCOUNT_MFA_DEVICE_ENROLLEDACCOUNT_MFA_DEVICE_VERIFIEDACCOUNT_MFA_DEVICE_RENAMEDACCOUNT_MFA_DEVICE_REVOKEDACCOUNT_MFA_DEVICE_REVOKE_BLOCKEDACCOUNT_MFA_RECOVERY_CODES_GENERATEDACCOUNT_MFA_RECOVERY_CODE_USEDACCOUNT_MFA_DISABLEDACCOUNT_MFA_DISABLE_BLOCKEDACCOUNT_WEBAUTHN_CREDENTIAL_ENROLLEDACCOUNT_WEBAUTHN_CREDENTIAL_REVOKEDACCOUNT_SESSION_REVOKEDACCOUNT_SESSIONS_REVOKED_ALLACCOUNT_LOGIN_ALERT_PREF_UPDATE
  • TOTP / hardware-key enrollment, verification, rename, revoke.
  • The revoke-blocked codes fire when last-factor protection refuses an action.
  • Recovery code generation + redemption.
  • Passkey enrollment + revoke.
  • Per-session revoke + sign-out-everywhere.
  • Sign-in alert preference toggles.

Common gotchas

  • "My authenticator app shows a wrong code." TOTP is time-bound; re-sync the device's clock against network time in the app's settings. The 6-digit window is 30 seconds — drift > 5s starts failing.
  • "I revoked my only passkey and can't sign in." Last-factor protection should have stopped you. If it didn't (e.g. you revoked from a different platform path), use a recovery code to sign in, then enroll a new factor.
  • "Recovery codes ran out and I lost my device." Contact your workspace admin. Admin-assisted recovery is gated by 4-eyes and step-up.
  • "A device shows up in sessions but I'm sure I didn't sign in from there." Revoke it immediately, change your password, and generate a fresh recovery code batch. Then review the audit feed for sign-in lines.
  • "Sign-out everywhere kept my current session." That's by design — the platform doesn't lock you out mid-action.

Troubleshooting

| Error code | What it means | Fix | |---|---|---| | MFA_LAST_FACTOR_GUARD | Refusing to remove your last factor. | Enroll a replacement first. | | MFA_RECOVERY_CODES_EXHAUSTED | All 10 codes spent. | Generate a new batch. | | WEBAUTHN_ATTESTATION_DENIED | Workspace policy refuses your authenticator family. | Use a different authenticator (see /platform/passkeys-and-webauthn). | | SESSION_NOT_FOUND | The session was revoked between selection and click. | Refresh the sessions list. | | PASSWORD_POLICY_FAILED | The new password doesn't meet workspace policy. | Inspect the policy strip; the form names which rule failed. |

Related

MFA policy

Workspace-side rules your account complies with.

Passkeys & WebAuthn

What attestation families are accepted.

Personal access tokens

Issue and rotate bearer tokens for scripts.

Your account audit

Read your own audit feed.