← Dashboard

Security Settings

{#if message}
{message.text}
{/if} {#if loading}
Loading...
{:else}

Two-Factor Authentication

Add an extra layer of security to your account using an authenticator app like Google Authenticator, Authy, or 1Password.

{#if setupStep === 'idle'} {#if totpEnabled}
Two-factor authentication is enabled
{#if !showDisableForm && !showRegenForm}
{/if} {#if showRegenForm}

Regenerate Backup Codes

This will invalidate all existing backup codes.

{/if} {#if showDisableForm}

Disable Two-Factor Authentication

This will make your account less secure.

{/if} {:else}
Two-factor authentication is not enabled
{/if} {:else if setupStep === 'qr'}

Step 1: Scan QR Code

Scan this QR code with your authenticator app:

TOTP QR Code
Can't scan? Enter manually {totpUri.split('secret=')[1]?.split('&')[0] || ''}
{:else if setupStep === 'verify'}

Step 2: Verify Setup

Enter the 6-digit code from your authenticator app:

{:else if setupStep === 'backup'}

Step 3: Save Backup Codes

Save these backup codes in a secure location. Each code can only be used once. If you lose access to your authenticator app, you'll need these to sign in.

{#each backupCodes as code} {code} {/each}
{/if}

Passkeys

Passkeys are a secure, passwordless way to sign in using biometrics (fingerprint or face), a security key, or your device's screen lock.

{#if passkeysLoading}
Loading passkeys...
{:else} {#if passkeys.length > 0}
{#each passkeys as passkey}
{#if editingPasskeyId === passkey.id}
{:else}
{passkey.friendlyName || 'Unnamed passkey'} Added {formatDate(passkey.createdAt)} {#if passkey.lastUsed} · Last used {formatDate(passkey.lastUsed)} {/if}
{#if hasPassword || passkeys.length > 1} {/if}
{/if}
{/each}
{:else}
No passkeys registered
{/if}
{/if}

Password

Manage your account password. If you have passkeys set up, you can optionally remove your password for a fully passwordless experience.

{#if passwordLoading}
Loading...
{:else if hasPassword}
Password authentication is enabled
{#if passkeys.length > 0} {#if !showRemovePasswordForm} {:else}

Remove Password

This will make your account passkey-only. You'll only be able to sign in using your registered passkeys. If you lose access to all your passkeys, you can recover your account using your notification channel.

Before proceeding:
  • Make sure you have at least one reliable passkey registered
  • Consider registering passkeys on multiple devices
  • Ensure your recovery notification channel is up to date
{/if} {:else}

Add at least one passkey before you can remove your password.

{/if} {:else}
Your account is passkey-only

You sign in using passkeys only. If you ever lose access to your passkeys, you can recover your account using the "Lost passkey?" link on the login page.

{/if}

Trusted Devices

Manage devices that can skip two-factor authentication when signing in. Trust is granted for 30 days and automatically extends when you use the device.

Manage Trusted Devices →
{#if hasMfa}

App Compatibility

Control whether apps that don't support modern authentication (like the official Bluesky app) can sign in to your account.

{#if legacyLoginLoading}
Loading...
{:else}
Allow legacy app login {#if allowLegacyLogin} Legacy apps can sign in with just your password, but sensitive actions (like changing your password) will require MFA verification. {:else} Only OAuth-compatible apps can sign in. Legacy apps will be blocked. {/if}
{#if totpEnabled}
Important: Password changes in Bluesky app will fail

With TOTP enabled, changing your password from the Bluesky app (or other legacy apps) will be blocked. To change your password, you have two options:

  1. Change it here: Use this website's Settings page where you can verify with your authenticator app.
  2. Verify your session first: Use the re-authenticate option to verify your Bluesky session with TOTP, then password changes will work temporarily.
{/if}
What are legacy apps?

Some apps (like the official Bluesky app) use older authentication that only requires your password. When you have MFA enabled, these apps bypass your second factor. Disabling legacy login forces all apps to use OAuth, which properly enforces MFA.

{/if}
{/if} {/if}