Your Security page:
Go to Security in the sidebar to manage:
Active sessions — see every device signed in to your account, with location and browser info. Revoke any session with one click (requires password confirmation).
Recent security events — your last 10 authentication events (logins, logouts, password changes).
Two-factor authentication — enable TOTP-based 2FA from your Profile page.
Passkeys — register hardware or biometric authenticators (Face ID, Touch ID, security keys) for passwordless sign-in.
API tokens — overview of your active personal access tokens.
Connected apps — which OAuth providers (Google, Microsoft, GitHub) are linked.
Revoking a session:
Go to Security in the sidebar
Find the session you want to end
Click Revoke
Enter your password to confirm
To sign out of all other devices at once, click Revoke all other sessions.
Two-factor authentication (2FA):
2FA adds a second layer of protection using an authenticator app (Google Authenticator, Authy, 1Password, etc.).
Go to your Profile page → scroll to Two Factor Authentication
Click Enable
Scan the QR code with your authenticator app
Enter the 6-digit code to confirm setup. Recovery codes are shown once — save them in a safe place.
Passkeys:
Passkeys let you sign in without a password using your device's built-in biometrics (Face ID, Touch ID) or a hardware security key (YubiKey, etc.).
Go to Security in the sidebar → click the Passkeys tab
Click Add Passkey
Follow your device or browser prompts to register your biometric or key
Your passkey is saved — next time you sign in, use it instead of your password
You can register multiple passkeys and revoke any of them individually.
Single Sign-On (SSO / SAML):
Enterprise accounts can use SAML 2.0 SSO with providers including Okta, Azure AD, OneLogin, and Google Workspace. Your administrator configures SSO. Once enabled, team members sign in via your identity provider instead of a password. Contact your administrator for your organisation's SSO login URL.