Skip to content

Securing your account

This page covers the controls that protect your OpenWatch account: two-factor authentication, active session management, and changing your password or email. You will find them on your account preferences page.

These controls apply to local accounts (email and password). If your organisation uses single sign-on, authentication is handled by your identity provider instead.

Two-factor authentication (2FA)

Two-factor authentication adds a one-time code from an authenticator app on top of your password, so a stolen password is not enough to sign in.

Enable 2FA

  1. Open your account preferences.
  2. Start the two-factor setup.
  3. Scan the QR code with a TOTP authenticator app such as Google Authenticator, Authy, 1Password or Microsoft Authenticator.
  4. Enter the 6-digit code from the app to confirm and activate.

Codes are time-based and rotate every 30 seconds. OpenWatch accepts the current code with a small tolerance window, so a slightly out-of-sync clock still works.

Recovery codes

When you enable 2FA, OpenWatch gives you 8 one-time recovery codes. Each code works once and lets you sign in if you lose access to your authenticator app.

Store your recovery codes now

Save your recovery codes in a safe place, such as a password manager, the moment they are shown. They are stored only in hashed form, so OpenWatch cannot show them to you again later. If you lose both your authenticator app and your recovery codes, you may be locked out and need an administrator to help.

Active sessions

Your account preferences show your recent sign-in sessions, so you can spot access you do not recognise. For each session you can see when and from where it was created.

  • Revoke a single session to sign that device out.
  • Revoke all other sessions to sign out everywhere except your current device, which is useful after using a shared or public computer.

You can also revoke your current session from here, which signs you out immediately.

After a suspected compromise

Change your password, revoke all other sessions, and confirm 2FA is enabled. Admins can cross-check activity in the audit log.

Change your password

You can change your password from your account preferences. You must enter your current password to confirm the change. New passwords are checked against a strength policy, so choose a long, unique passphrase. A password manager makes this easy.

Change your email

You can change the email address on your account. To protect against mistakes and hijacking, OpenWatch sends a verification link to the new address. The change takes effect only after you confirm it from that address, so make sure you can receive mail there first.