Help Center
Open app
Help CenterAccount & settingsSecuring your account

Account & settings

Securing your account

Set up two-factor authentication, manage active sessions, enforce SSO, and keep your Doow account secure.

Keeping your Doow account secure protects your organisation's financial and usage data. This article covers the security features available and how to configure them.

Two-factor authentication (2FA)

Doow supports time-based one-time password (TOTP) two-factor authentication using any authenticator app (Google Authenticator, Authy, 1Password, etc.).

Enabling 2FA

  1. Go to Settings → Profile → Security (click your avatar in the bottom-left, then Profile).
  2. Click Enable two-factor authentication.
  3. Scan the QR code with your authenticator app.
  4. Enter the 6-digit code from your app to confirm.
  5. Save your recovery codes — store them somewhere safe, offline. Each code can be used once.

Once enabled, you are prompted for a 6-digit code after entering your password on each sign-in. 2FA is per-user, not workspace-wide. Each member enables it individually.

Recovery codes

When you enable 2FA, Doow generates 8 recovery codes. Each can be used once to sign in if you lose access to your authenticator app. Keep these somewhere safe and offline — a password manager, a printed copy, or a secure note.

To generate a new set of recovery codes (invalidating the old ones), go to Settings → Profile → Security → Regenerate recovery codes. You will need your current 2FA code to do this.

Disabling 2FA

  1. Go to Settings → Profile → Security.
  2. Click Disable two-factor authentication.
  3. Enter your password and current 2FA code to confirm.

Workspace-wide 2FA requirement

Admins can require all members to enable 2FA:

  1. Go to Settings → Workspace → Security.
  2. Toggle Require two-factor authentication for all members.
  3. Members who have not enabled 2FA are prompted on their next sign-in. They cannot access the workspace until 2FA is set up.

Existing members are not signed out — the requirement is enforced on their next sign-in.

SSO enforcement

If your workspace uses SAML or OIDC SSO (configured during onboarding or via an identity provider integration), you can require SSO for all members:

  1. Go to Settings → Workspace → Security.
  2. Toggle Require SSO for all members.
  3. Members without an SSO session are redirected to your identity provider on sign-in.

When SSO is required, password-based sign-in is disabled for all members. Admins can still sign in with a password + 2FA as a fallback. This fallback cannot be disabled.

Managing active sessions

You can see where you are signed in and sign out of other sessions:

  1. Go to Settings → Profile → Security → Active sessions.
  2. The list shows each session with: device and browser, approximate location (based on IP), sign-in time, and last activity.
  3. Click Sign out next to any session to end it remotely.
  4. Click Sign out all other sessions to end everything except your current one.

Admins can view active sessions for all workspace members from Settings → Team → [member] → Sessions.

Password management

Changing your password

  1. Go to Settings → Profile → Security.
  2. Click Change password.
  3. Enter your current password and the new password.
  4. Click Save.

Choose a password that is at least 12 characters and not reused from other services. Doow checks new passwords against known breached-password databases.

Resetting a forgotten password

  1. On the sign-in page, click Forgot password?.
  2. Enter your email address.
  3. Click the link in the reset email.
  4. Choose a new password.

The reset link expires after 1 hour. If you do not receive the email, check your spam folder and verify that your IT team has not blocked automated emails from notifications@doow.co.

Account activity log

To see actions taken on your account:

  1. Go to Settings → Profile → Security → Activity log.
  2. The log shows: sign-ins (successful and failed), password changes, 2FA enable/disable, profile changes, and SSO linking.

Entries are retained for 90 days. Admins can view the workspace-wide audit log from Settings → Workspace → Audit log, which shows actions by all members.

If you suspect unauthorised access

  1. Immediately change your password from Settings → Profile → Security.
  2. Go to Active sessions and sign out all other sessions.
  3. Enable 2FA if not already enabled.
  4. Check the Activity log for unfamiliar sign-ins.
  5. Contact support via the in-app chat or support@doow.co.