Our security practices

We never store your password

Just like your bank, we never keep a copy of your password. Instead, we run it through a one-way mathematical process called hashing. The result is stored in place of your password, and there is no way to reverse it.

Your recovery codes are treated the same way — individually hashed before storage. We can verify a code when you use it, but we can never read your codes back, which is why we can only show them to you once.

Sensitive data is encrypted at rest

Information like your authenticator keys is encrypted before it ever reaches our database, using the same standard trusted by governments for protecting classified material.

Connections are always encrypted

All communication between your browser and our servers is encrypted in transit. We enforce HTTPS on every request.

Tokens are signed and encrypted

Authentication tokens issued at sign-in are digitally signed (so they cannot be forged) and encrypted (so their contents cannot be read by unauthorized parties).

Phishing-resistant sign-in

Passkeys are bound to this specific site. Unlike a password, a passkey cannot be typed into a fake login page — your device will simply refuse.

Proof Key for Code Exchange

All authorization flows require PKCE (pronounced "pixie"). Applications must prove the request originated from the same session that started it — preventing code-interception attacks.

Brute-force protection

After several failed sign-in attempts, your account is temporarily locked. The lockout is brief enough to be a minor inconvenience if you mistype your password, but long enough to stop an attacker.

Content Security Policy

A strict CSP controls which scripts can run on our pages. Each page load generates a unique cryptographic nonce, and only scripts bearing that nonce are permitted to execute — preventing cross-site scripting (XSS) attacks.