Account security overview
ScrinCloud protects account access with email verification, password policy, short-lived challenges, two-factor methods, passkeys, bounded browser sessions, and organization policy.
Choose a guide
Section titled “Choose a guide”- Create and verify an account for sign-up, invitation-aware registration, and email verification.
- Sign in with two-factor for password, email code, authenticator, recovery-code, and passkey sign-in.
- Reset your password for the fail-closed recovery challenge and new-password flow.
- Change password and sessions for an authenticated password rotation, individual session revocation, or signing out everywhere.
- Manage 2FA and passkeys for enrollment, preferred methods, recovery-code regeneration, method disable, passkeys, and organization sign-in policy.
Keep account evidence private
Section titled “Keep account evidence private”Never put these values in documentation screenshots, chat, tickets, comments, logs, recordings, clipboard history, or shared files:
- passwords;
- email or authenticator one-time codes;
- authenticator QR codes, manual keys, or
otpauthvalues; - recovery codes;
- passkey browser payloads or credential references;
- cookies, access tokens, refresh tokens, or challenge IDs; or
- session identifiers.
Use masked email addresses and synthetic non-production examples. A successful button response proves only that the application accepted the step. Identity is established by the backend challenge, and account or organization policy can still reject a later action.
Understand lockout and recovery
Section titled “Understand lockout and recovery”Security controls fail closed. Do not repeatedly guess codes, bypass a waiting period, create a second account to evade policy, or ask someone to share a factor. Start a fresh supported recovery flow when a challenge expires. If all registered methods are unavailable, use your organization’s verified support and identity-recovery process.
Keep team access deliberate
Section titled “Keep team access deliberate”Account security does not replace project authorization. Invite only people who need access, choose the lowest useful role, separate contribution from approval, and remove access promptly when responsibilities change. Team and reviewer-group actions are covered in the dedicated Settings guidance.
