Account security

This page covers the three security primitives every CloudMagnus account has: two-factor authentication (2FA) via email code, recovery codes for the "phone is dead, email is locked out" path, and password reset.

Two-factor authentication

2FA is on by default for every new signup. The second factor is a six-digit code emailed to your account address when you sign in from a new browser.

How it works

  1. You enter email + password on the sign-in form.
  2. If your browser has signed in successfully before (and you've checked "remember this device"), you go straight to your dashboard.
  3. If it's a new browser, we email a six-digit code to your account address. Enter it within 10 minutes and you're in.
  4. The code is single-use; using it (or it expiring) invalidates it.

What "remember this device" actually does

It sets a long-lived cookie scoped to that browser. We use the cookie's presence to skip the 2FA step on future sign-ins from the same browser. The cookie is HTTP-only (JavaScript can't read it) and SameSite=Lax (other sites can't trick your browser into sending it). It expires after 30 days of no use; sign in once during the window and it renews.

If you tick "remember this device" on a public computer, anyone with that browser session for the next 30 days can sign in as you without the 2FA step. Don't tick it on shared computers.

Disabling 2FA

v1 doesn't ship a "turn off 2FA" toggle — every account has it on. If you have a strong reason to disable (e.g. you're using a password manager that doesn't handle email codes well), contact support and we'll discuss alternatives.

Recovery codes

Recovery codes are the fallback if you can't access your email account temporarily (mail server outage, lost phone with email app). On signup we generate ten one-time codes and show them to you ONCE. Save them somewhere safe — a password manager, a paper printout in a desk drawer, an encrypted note. We don't store the plain codes; if you lose them and lose your email, the only path back is account recovery (which is slow and operator-mediated).

Using a code

On the 2FA prompt, click "Use a recovery code instead" → enter one of your ten codes. The code is consumed (you can never use it again). You're signed in.

Regenerating codes

From /dashboard/settings/security → "Regenerate recovery codes". This invalidates all previous codes and shows a fresh set of ten. Save the new ones; the old ones are dead.

How many do I have left?

The settings page shows remaining count. When you're under three, regenerate.

Password reset

If you've forgotten your password, click "Forgot password?" on the sign-in page. Enter your email; we send a reset link valid for 1 hour. Click the link, set a new password, sign back in.

What if I've forgotten my password AND I can't access my email?

That's the account-recovery path — see below.

Account recovery (last-resort)

If you've lost both your password AND access to the email address on the account AND you don't have any recovery codes, you can request operator-mediated recovery from /account-recovery.

The flow is intentionally slow because the alternative is a vector for account takeover:

  1. You submit a request describing the account, when you signed up, what your last interactions were, and a verification email you DO control.
  2. An operator reviews the request manually (typically within 1-3 business days).
  3. If granted, you receive an email at your new address with a one-time link to set a new password and complete recovery.
  4. The original email address is updated to the new one.

Recovery is rate-limited per email and per IP. Submitting many recovery requests for the same account will get them all denied; submit one and wait.

Anomaly alerts

The platform watches for patterns that suggest account takeover (sudden many failed logins, sign-in from a country you've never used before, password reset followed by email change). When one fires, we email you about it. The alert tells you what happened, when, and what to do (typically: rotate your password if you didn't initiate the action). You can't disable security alerts in v1 — they're always-sent.

What to do if you suspect your account is compromised

  1. From a clean device, sign in to /dashboard/settings/security and click "Sign out everywhere" — this invalidates every session including the attacker's.
  2. Change your password (settings → Password).
  3. Regenerate recovery codes (settings/security → Regenerate).
  4. Review your sites for unfamiliar changes (file manager, redirects, cron jobs). Restore from backup if anything looks tampered.
  5. Contact support with timestamps and what you saw — we can pull the audit log to confirm what the attacker did.