Account Security Guide
Protect your account with two-factor authentication, recovery codes, and security best practices
Overview
Two-factor authentication (2FA) adds a second layer of protection to your Workunit account. Even if someone obtains your password, they cannot access your account without the verification code from your authenticator app.
How It Works
Workunit uses TOTP (Time-based One-Time Password) — the same standard used by Google, GitHub, and other major platforms. Any authenticator app that supports TOTP will work: Google Authenticator, Authy, 1Password, Bitwarden, etc.
Enabling Two-Factor Authentication
Setting up 2FA takes about 2 minutes. You'll need your authenticator app ready on your phone.
Tip: After setup, you'll receive an email confirming that 2FA has been enabled. This also serves as a security alert — if you didn't enable 2FA, someone may have access to your account.
Recovery Codes
When you enable 2FA, you receive 10 single-use recovery codes. These are your safety net if you lose access to your authenticator app — lost phone, app uninstalled, device reset.
Important: Each recovery code can only be used once. After use, it is permanently consumed. If you run out of recovery codes and lose your authenticator, you will be locked out of your account.
Where to Store Recovery Codes
- • Password manager — most secure, always accessible
- • Printed copy in a safe — works offline, immune to digital threats
- • Encrypted file — on a separate device or USB drive
- • Avoid: plain text on your computer, screenshots in your photo library, sticky notes
Logging In With 2FA
With 2FA enabled, the login flow adds one extra step between your password and your dashboard:
Using Recovery Codes
If you can't access your authenticator app, enter one of your recovery codes on the verification page instead. Recovery codes work as a one-time replacement for the 6-digit code.
When you have 3 or fewer recovery codes remaining, you'll see a warning after login. Regenerate your codes promptly in Settings to avoid being locked out.
Managing 2FA
All 2FA management happens in Settings > Security. Two operations are available once 2FA is enabled:
Organization-Enforced 2FA
Organization owners and admins can require all members to enable 2FA, adding a compliance layer for teams handling sensitive work.
For Admins
- • Toggle the requirement in Organization Settings > Security
- • View a compliance dashboard showing which members have enabled 2FA
- • Non-compliant members are listed with name and email for follow-up
For Members: If your organization requires 2FA and you haven't set it up, you'll be guided through the setup flow on your next login. You won't be locked out — just prompted to comply.
Security Best Practices
- • Enable 2FA — it is the single most effective protection against account compromise
- • Use a strong, unique password — don't reuse passwords across services
- • Store recovery codes in a password manager — not as plain text on your device
- • Regenerate codes periodically — especially if you suspect exposure
- • Never share your codes or secrets — Workunit will never ask for them
- • Act on unexpected emails — if you didn't trigger a 2FA change, secure your account immediately
Keep Your Account Secure
Now that 2FA is set up, explore other ways to stay organized and collaborate securely.
Invite members and manage roles for your organization.
Learn patterns that make AI-assisted work reliable.
If you're locked out or having trouble with 2FA, check our support resources or community discussions.