Account Security & 2FA
Protect your account with two-factor authentication and security best practices.
Two-factor authentication (2FA)
2FA adds an extra layer of protection. Even if someone obtains your password, they cannot access your account without the second factor.
Enable 2FA
- Go to Account Settings → Security
- Click Enable Two-Factor Authentication
- Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.)
- Enter the 6-digit code to verify
- Save your recovery codes in a secure location
Important: Store your recovery codes securely. If you lose access to your authenticator app and your recovery codes, you will lose access to your account.
Disable 2FA
- Go to Account Settings → Security
- Click Disable 2FA
- Confirm with your current authenticator code
Password management
Change password
- Go to Account Settings → Security
- Click Change Password
- Enter your current password
- Enter and confirm your new password
Password requirements
- Minimum 12 characters
- At least one uppercase letter, one lowercase letter, and one number
- Cannot be a commonly breached password
Active sessions
Review all devices and browsers currently signed in to your account at Account Settings → Security → Active Sessions.
You can revoke any session individually or click Sign out all other sessions to revoke everything except your current session.
API tokens
If you use the HelmRelay API, generate tokens at Account Settings → API Tokens.
- Give each token a descriptive name
- Set an expiration date
- Use the minimum required permissions
- Rotate tokens regularly
Security best practices
- Enable 2FA on your account
- Use a unique, strong password (password manager recommended)
- Review active sessions periodically
- Rotate API tokens at least every 90 days
- Use role-based access — give team members only the permissions they need