Skip to content

Account security overview

ScrinCloud protects account access with email verification, password policy, short-lived challenges, two-factor methods, passkeys, bounded browser sessions, and organization policy.

Never put these values in documentation screenshots, chat, tickets, comments, logs, recordings, clipboard history, or shared files:

  • passwords;
  • email or authenticator one-time codes;
  • authenticator QR codes, manual keys, or otpauth values;
  • recovery codes;
  • passkey browser payloads or credential references;
  • cookies, access tokens, refresh tokens, or challenge IDs; or
  • session identifiers.

Use masked email addresses and synthetic non-production examples. A successful button response proves only that the application accepted the step. Identity is established by the backend challenge, and account or organization policy can still reject a later action.

Security controls fail closed. Do not repeatedly guess codes, bypass a waiting period, create a second account to evade policy, or ask someone to share a factor. Start a fresh supported recovery flow when a challenge expires. If all registered methods are unavailable, use your organization’s verified support and identity-recovery process.

Account security does not replace project authorization. Invite only people who need access, choose the lowest useful role, separate contribution from approval, and remove access promptly when responsibilities change. Team and reviewer-group actions are covered in the dedicated Settings guidance.