Security & MFA
Lock down your account. MFA, active sessions, login history, and recovery options live here.
๐ธ Screenshot needed:
settings__security-mfa.png, Security tab with the 2FA section expanded showing "Authenticator app: enabled" with a "Disable" button, SMS option below, recovery-codes section, and an Active sessions table at the bottom.
Multi-factor authentication (MFA)
Authenticator app (TOTP), recommended
- Security โ Two-factor authentication โ Enable authenticator app.
- Flero shows a QR code; scan it with 1Password, Authy, Google Authenticator, or any TOTP app.
- Enter the 6-digit code from your app to confirm.
- Recovery codes appear, download or screenshot and store somewhere safe. These are your only way back in if you lose your second factor.
After enrolment, every login requires the TOTP code.
SMS
- Enable SMS 2FA โ Add phone number.
- Enter the code that was just texted to confirm.
- Set this number as the SMS factor.
SMS is less secure than authenticator apps (vulnerable to SIM-swap attacks); use it as a backup, not the primary factor.
Disabling MFA
You can disable any factor from the same screen. You can't disable MFA if your organization mandates it (Settings โ Organization โ Policies โ Required MFA).
Recovery codes
Single-use codes that let you sign in without your second factor. Generate a set when you enrol MFA; regenerate at any time (invalidates the old set).
Store them somewhere safe and not on the device with your authenticator app. A password manager's secure note is fine; a sticky note on your monitor is not.
Active sessions
A table of every active session on your account:
| Column | Notes |
|---|---|
| Device / browser | Inferred from User-Agent |
| IP address | Coarse geolocation shown on hover |
| Last activity | Timestamp |
| Created | When the session started |
Per row: Sign out.
Sign out all other sessions at the bottom is the panic-button. Keeps your current session active; ends all others. Use after a suspected compromise.
Login history
Last 90 days of logins:
| Field | Notes |
|---|---|
| Timestamp | UTC |
| Method | Password, SSO, API key |
| IP address | + coarse geolocation |
| Outcome | Success / failed (with reason) |
| MFA factor | Which factor was used |
Failed logins to your account trigger a Security alert notification if you have the category enabled.
API tokens (overview)
A summary of API keys you've generated and credentials you own. For full management, see API keys & bearer tokens.
SSO (if configured)
Your organization may have SSO with an IdP (Okta, Azure AD, Google Workspace, โฆ). When SSO is active for your org:
- The standard login form may redirect to your IdP automatically.
- Password change happens at the IdP, not in Flero.
- MFA may be enforced by the IdP and bypassed in Flero, or required in both.
Disconnecting SSO from your account requires admin help (otherwise you'd be locked out).
Audit log
A per-user audit of security-relevant events:
- MFA enabled / disabled
- Password changed
- Recovery codes regenerated
- Sessions revoked
- Workspace memberships changed
Helpful for "what happened to my account on the 14th?" reconstructions.
Tips & gotchas
- Enrol MFA before you need it. Doing it after a security incident is too late.
- Authenticator app + recovery codes is the right combo. SMS alone is weaker than authenticator-only.
- Recovery codes are single-use. Used one to log in? Generate a fresh set next time.
- Sign out all other sessions after losing a device, but be prepared to re-log in everywhere.
- Login history is a great early-warning signal. Glance at it weekly.
Related
Found something out of date? This page lives in the Flero docs content set.