Account security & 2FA

FlowMaticX supports two-factor authentication (2FA) to protect your account even if your password is compromised. You can use an authenticator app (TOTP) or receive codes via WhatsApp.

1. Go to Settings → Security tab
2. Click Authenticator App in the two-factor section
3. Open your authenticator app (Google Authenticator, Authy, 1Password, or any TOTP-compatible app)
4. Tap + or Add account in your authenticator app
5. Scan the QR code shown on screen — or tap Can't scan? to enter the manual key
6. Your app shows a 6-digit code that rotates every 30 seconds
7. Enter that code in the Enter the 6-digit code to confirm field and click Activate 2FA
8. Save your backup codes (shown once) — store them somewhere safe

2FA is now active. Every login from a new device will ask for a 6-digit code after your password.

1. Enter email + password as normal
2. After successful password check, the page shows a code entry screen
3. Open your authenticator app and enter the current 6-digit code
4. Click Verify & sign in

The code rotates every 30 seconds. If a code is rejected, wait for the next rotation and try again.

If your account has a WhatsApp number set (Settings → Profile), you can request a code via WhatsApp instead of using your authenticator app:

1. On the 2FA code entry screen, look for the method selector
2. If WhatsApp is available, click Send code via WhatsApp
3. A 6-digit code is sent to your registered WhatsApp number (valid for 10 minutes)
4. Enter it and click Verify & sign in

> Note: WhatsApp OTP requires a WhatsApp number in your profile and a linked Wasender account. If the option doesn't appear, add your WhatsApp number in Settings → Profile first.

When you enable 2FA, you receive 8 one-time backup codes. Each code can be used once to sign in if you lose access to your authenticator app.

Store backup codes safely:

• Print them and keep in a safe place
• Save in a password manager
• Do NOT store them in the same device as your authenticator app

To use a backup code at login: on the 2FA code entry screen, click Use a backup code and enter one of your saved codes (with or without the dash).

After using a backup code it is permanently invalidated. You can see how many backup codes remain in Settings → Security.

1. Settings → Security → click Disable 2FA
2. Enter your current password
3. Enter a valid 2FA code (or backup code)
4. Click Disable 2FA

Both password and a valid code are required to disable — this prevents an attacker who only has your password from removing 2FA.

1. Go to Settings → Profile → scroll to the password section, or
2. Use the Forgot password link on the login page to receive a reset email

After a successful password reset:

• All existing sessions are automatically invalidated
• You'll need to log in again on all devices
• This is intentional — it ensures anyone who knew your old password is locked out

FlowMaticX uses HTTP-only, Secure cookies for sessions. Sessions expire after 7 days of inactivity or when you log out. If you change your password, all sessions issued before the change are revoked automatically.

• Enable 2FA — reduces account takeover risk even if your password leaks
• Use a unique password — don't reuse a password from another service
• Check your team — regularly review team members at Settings → Team and remove anyone who shouldn't have access
• Review API keys — rotate API keys periodically at Workspace → API Keys. Delete keys you no longer use
• Watch for suspicious logins — you receive an email alert on every new login from an unrecognised device

1. Change your password immediately via Forgot password
2. This invalidates all existing sessions
3. Review your API keys and rotate any that may have been exposed
4. Check your automation and campaign history for unexpected activity
5. Contact support at hello@flowmaticx.com — we can freeze your account or roll back changes if needed