Skip to main content
Your account stores scan data, credentials, findings, and reports for systems you’re authorized to test. Use the settings on this page to lock it down. Manage your security settings at My Account > Security.

Two-factor authentication (2FA)

We strongly recommend enabling 2FA for all accounts.

Enabling 2FA

Go to My Account > Security > 2FA to set up two-factor authentication.
1

Scan the QR code

Use an authenticator app to scan the QR code displayed on the page. Alternatively, you can manually enter the secret key.
2

Enter the verification code

Enter the 6-digit code from your authenticator app to verify the setup.
Once enabled, you’ll need to enter a code from your authenticator app each time you log in.

Supported authenticator apps

Any TOTP-compatible authenticator app works, including:

Disabling 2FA

1

Go to Security settings

Go to My Account > Security.
2

Disable 2FA

Click Disable 2FA.
3

Confirm with password

Enter your current password to confirm.

Password

Changing your password

1

Go to Security settings

Go to My Account > Security.
2

Click Change password

Click Change password.
3

Enter current password

Enter your current password.
4

Set new password

Enter and confirm your new password.
5

Save

Click Save.
The page also shows when you last changed your password.
If you signed up using Google or Microsoft SSO and haven’t set a password yet, you’ll see Set password instead of Change password.

Password requirements

  • Minimum 8 characters
  • We recommend using a password manager and a unique password for this service

Login history

Review your login history for suspicious activity at My Account > Security > Login history. Each login event shows:
FieldDescription
DateWhen the login occurred
IP addressThe IP address used
LocationCountry and city (when available)
ClientBrowser/device information
Regularly review your login history for unauthorized access attempts. If you see suspicious activity, change your password immediately and enable 2FA.

API key security

For API access, follow these best practices:
  • Generate separate keys for different purposes
  • Rotate keys periodically
  • Revoke unused keys
  • Never share keys in code or logs
See API Authentication for more details.