Security & 2FA
This page is where you harden the credentials your desktop, CLI, and bot integrations all build on top of. Enrolment is fast; the work compounds across every surface.
Password
Standard password management:
- Change — current password + new password.
- Complexity rules — minimum 12 characters, mixed case, digit, symbol.
- History — cannot reuse the last 5 passwords.
If you sign in exclusively via OAuth, set a password anyway — you need it for the recovery flow.
Two-factor authentication (2FA)
CMDOP supports TOTP via standard authenticator apps (1Password, Authy, Google Authenticator, etc.):
- Setup — scan the QR code, enter the 6-digit code to confirm.
- Backup codes — 10 single-use codes shown once on enrollment. Store them somewhere durable.
- Recovery without device — burn a backup code, then re-enroll.
Active sessions
Browser sessions and desktop sign-ins both appear here:
- Device — desktop, browser, or mobile.
- Location — approximate, derived from IP geo-lookup.
- Last activity — timestamp.
- Sign out — single session or “all other sessions”.
Signing out a session invalidates that surface’s token immediately.
Login history
Last N successful and failed logins, including:
- Source IP.
- User agent.
- Whether 2FA was challenged.
Spotting an unfamiliar entry? Sign out all other sessions and rotate your password.
Trusted devices
The “remember this device” checkbox on sign-in skips 2FA for 30 days on that browser. Revoke trusted devices any time from this list.
Hardware keys (WebAuthn)
Available on team plans:
- Add a security key (YubiKey, Solo, Titan).
- Use as your second factor instead of TOTP.
- Remove any key; at least one factor must remain.
Workspace-enforced 2FA
If a workspace policy requires 2FA and you do not have it enabled, you keep access to personal areas (this page) but lose access to the workspace until you enroll.
If a workspace requires 2FA and you do not have it enabled, you keep access to personal areas but lose access to that workspace until you set it up.
Where this data lives
Backed by the Django profiles app (auth, sessions); rendered by apps/my/.../private/profile/.
Related
- Profile
- API tokens — programmatic access alternatives.
- OAuth apps — sign-in providers.
- Workspace settings — workspace-level 2FA policy.