> ## Documentation Index
> Fetch the complete documentation index at: https://docs.letterbucket.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Account Security

> Set up two-factor authentication and manage your account security

Protect your account with two-factor authentication (2FA) and manage your password from **Settings → Security**.

## Two-factor authentication (2FA)

LetterBucket supports **TOTP (Time-based One-Time Password)** as its 2FA method. This works with any standard authenticator app:

* Google Authenticator
* Microsoft Authenticator
* Authy
* 1Password
* Any other TOTP-compatible app

### Setting up 2FA

1. Go to **Settings → Security**.
2. Enter your **current password** to verify your identity.
3. Open your authenticator app and scan the **QR code** shown on screen.
4. Enter the **6-digit code** generated by your app to confirm the setup.
5. 2FA is now active on your account.

Recovery codes are generated automatically when you enable 2FA.

### Recovery codes

Recovery codes let you access your account if you lose access to your authenticator app. Each code can only be used once.

<Warning>
  Save your recovery codes somewhere safe when they're shown to you. If you lose access to both your authenticator app and your recovery codes, you may be permanently locked out.
</Warning>

To view or regenerate your recovery codes:

1. Go to **Settings → Security**.
2. Click **View Recovery Codes** (requires TOTP verification and password).
3. To generate a new set, click **Regenerate** — this invalidates all previous codes.

<Info>
  If you enter incorrect codes too many times, your account will be temporarily locked for 1 hour as a security measure.
</Info>

### Disabling 2FA

To remove 2FA from your account, go to **Settings → Security** and click **Remove authenticator**. You'll need to verify with your password and a TOTP code.

## Password management

You can change your password at any time from **Settings → Security → Password tab**.

LetterBucket logs security events on your account, including:

* Password changes
* 2FA setup and removal
* Failed login attempts (with IP and location)

You'll receive a notification when any of these events occur.

<Tip>
  We strongly recommend enabling 2FA. It's the single most effective way to protect your account from unauthorized access.
</Tip>
