How we keep your account and credentials safe.
Just like your bank, we never keep a copy of your password. Instead, we run it through a one-way mathematical process called hashing. The result is stored in place of your password, and there is no way to reverse it. Even if our database were somehow exposed, your actual password could not be recovered.
Your recovery codes are treated with the same care as your password. Each code is individually hashed before storage. We can verify a code when you use it, but we can never read your codes back — which is why we can only show them to you once, at the moment they are generated.
Information like your authenticator keys is encrypted before it ever reaches our database. We use the same encryption standard trusted by governments for protecting classified material. Even with direct database access, this data cannot be read without the encryption key.
All communication between your browser and our servers is encrypted in transit. We enforce HTTPS on every request, so your credentials, tokens, and personal information cannot be intercepted or tampered with while traveling over the network.
When you sign in, authentication tokens are issued to prove your identity to other applications. These tokens are digitally signed so they cannot be forged, and encrypted so their contents cannot be read by unauthorized parties.
Passkeys are built on a standard that binds your credential to this specific site. Unlike a password, a passkey cannot be typed into a fake login page — your device will simply refuse. This makes passkeys one of the strongest defenses against phishing attacks available today.
All authorization flows require a mechanism called PKCE (pronounced "pixie"). When an application requests access on your behalf, it must prove that the request originated from the same session that started it. This prevents a class of attacks where a malicious application could intercept an authorization code intended for a legitimate one.
After several failed sign-in attempts, your account is temporarily locked. This prevents automated tools from guessing your password by trying thousands of combinations. The lockout is brief enough to be a minor inconvenience if you mistype your password, but long enough to stop an attacker in their tracks.
We enforce a strict Content Security Policy that controls which scripts are allowed to run on our pages. Each page load generates a unique cryptographic nonce, and only scripts bearing that nonce are permitted to execute. This helps prevent cross-site scripting (XSS) attacks, where an attacker might try to inject malicious code into a page.