# Account Security

Makenot.work supports two-factor authentication (2FA) to protect your account. You can use passkeys, a TOTP authenticator app, or both.

## Passkeys

Passkeys use WebAuthn to let you log in with a fingerprint, face scan, hardware key, or device PIN -- no password needed.

### Setting Up a Passkey

1. Go to Settings > Security
2. Click "Add Passkey"
3. Follow your browser/device prompt to create the credential
4. Give it a name (e.g., "MacBook Touch ID", "YubiKey")

You can register up to 20 passkeys per account.

### Logging In with a Passkey

On the login page, click "Use Passkey" instead of entering your password. Passkey login is inherently two-factor (identity + device possession), so no TOTP code is required.

### Managing Passkeys

From Settings > Security you can:

- **List** all registered passkeys with their creation dates
- **Rename** a passkey for easier identification
- **Delete** a passkey (requires password confirmation)

If you lose access to all your passkeys, you can still log in with your password (plus TOTP if enabled).

## TOTP Authenticator App

TOTP adds a six-digit rotating code from an authenticator app as a second factor after your password.

### Setting Up TOTP

1. Go to Settings > Security
2. Click "Enable Authenticator App"
3. Scan the QR code with your authenticator app (or enter the secret manually)
4. Enter the six-digit code from your app to confirm setup
5. Save your backup codes immediately

Compatible apps include 1Password, Bitwarden, Authy, Google Authenticator, and any TOTP-compliant app (RFC 6238, SHA-1, 6 digits, 30-second interval).

### Logging In with TOTP

1. Enter your email and password as usual
2. When prompted, enter the current six-digit code from your authenticator app

If you registered a passkey, passkey login bypasses the TOTP step entirely.

### Disabling TOTP

Go to Settings > Security and click "Disable Authenticator App." You will need to confirm your password.

## Backup Codes

When you enable TOTP, you receive 10 single-use backup codes (8 characters each) usable in place of a TOTP code.

**Store backup codes securely.** If you lose access to your authenticator app and have no backup codes, recovery requires emailing info@makenot.work.

### Regenerating Backup Codes

Go to Settings > Security > "Regenerate Backup Codes." This invalidates all previous codes and generates a fresh set of 10. You must confirm your password.

## Login Notifications

If a new login occurs while you have other active sessions, you receive an email notification automatically.

## Password Policy

- Minimum 8 characters, maximum 128
- No character type requirements
- Checked against HaveIBeenPwned breach databases (k-anonymity; your password is never sent externally). Breached passwords trigger an advisory warning but are not blocked.

## Account Lockout

After 5 consecutive failed password attempts, your account is locked for 15 minutes. Passkey authentication is not affected by password lockout.

See [Password Reset](./password-reset.md) for recovery options.

## Recommendations

- Enable at least one 2FA method (passkeys are the strongest option)
- Register multiple passkeys on different devices so you are never locked out
- If using TOTP, save your backup codes in a password manager or printed in a secure location
- Use a unique, strong password even if you primarily log in with passkeys

## See Also

- [Getting Started](./getting-started.md): Account creation and initial setup
- [Password Reset](./password-reset.md): Forgot password and lockout recovery
- [Profile](./profile.md): Editing your public profile