Security, Two-Factor Authentication and Account Recovery

We take account security very seriously. That's why we use a modern, secure login system that combines email-based authentication with optional Two-Factor Authentication (2FA) - although we strongly recommend enabling 2FA, and may enforce use at a future date.

Why Email-Based Login?

Instead of using passwords - which are often forgotten, reused, or leaked/stolen - we use email login codes that must be manually entered to confirm your identity. This ensures:

  • No passwords to forget, reset, or steal
  • Every login is time-limited and device-specific
  • Reduced risk from phishing and credential reuse

What is Two-Factor Authentication?

Two-Factor Authentication (2FA) adds an extra layer of protection by asking for a 6-digit code from your authenticator app after you enter the one-time code sent to your email.

This 6-digit code is generated using a method called Time-Based One-Time Passwords (TOTP), and is usually accessed through apps like Google Authenticator, Microsoft Authenticator, or Authy )there are others, these are the most common in-use). Even if someone compromises your email, they still won't be able to access critical parts of your account without this second factor.

Why Not Use 2FA Instead of Email?

While 2FA is excellent for identity verification, we still require a verified email address to support:

  • Delivery of one-time login codes
  • Account recovery if access to your authenticator app is lost
  • Security and support communications

How Authentication Works

We use secure authentication tokens for login and session management. These tokens are:

  • Issued only after successful identity verification
  • Time-limited and bound to your device
  • Stored securely and validated on every protected action

This means your sessions are protected without needing traditional passwords. All sensitive requests are verified using signed, short-lived tokens that cannot be reused or faked.

We never store plaintext credentials, and we use strong cryptographic standards to ensure your identity remains safe at all times.

What Are Recovery Codes?

If you lose access to your email or your 2FA device, recovery codes provide a secure fallback. You'll be able to (re-)generate a set of 10 one-time use recovery codes when you require.

These codes should be stored somewhere safe and offline. We can not see these codes, even our support team are unable to view the codes you generate.

Staying Safe

We recommend enabling 2FA under your Account Security settings. Always use a trusted authenticator app, never share your 2FA codes.

We also recommend generating recovery codes under your Account Security settings. You can save as a text file, or print out yourself via your browser. Always store recovery codes securely.