DocsBack to homepage

Start Here

  • Getting Started
  • Key Concepts

Design Tokens

  • Token Types
  • Token Modes
  • Token Enforcement
  • Deprecated Tokens
  • Quality and Accessibility

Components

  • Component Builder
  • Composition Rules

Publishing

  • Publishing
  • Docs Mode
  • Changelog Notifications
  • Notifications and Alerts

Integrations

CLI & Data

  • CLI Reference
  • CLI Configuration
  • Import Formats
  • Importing Tokens
  • Export Formats

Tooling

  • Studio AI Assistant
  • Figma Plugin
  • API Reference
  • Webhooks

Account & Billing

  • Audit Log
  • Security and Access
  • Account Security
  • Pricing and Payments

Documentation

Account Security

This page walks through the security settings available to every ReframeUI account holder. Open the Account menu, select Settings, then go to the Security tab. From there you can set up two-factor authentication, review active sessions, and manage the sign-in methods connected to your account.

Two-factor authentication (2FA)

TOTP-based 2FA adds a second verification step each time you sign in. Any account holder can enable it regardless of plan.

Enabling 2FA

  1. 1.On the Security settings page, click "Enable two-factor authentication."
  2. 2.Open a TOTP authenticator app. Google Authenticator, Authy, 1Password, and most password managers work. Scan the QR code shown. If you cannot scan it, click "Can't scan?" to reveal the setup key and enter it manually into your app.
  3. 3.Enter the 6-digit code your app shows, then click "Confirm and enable."
  4. 4.Copy your backup codes before closing the screen. See below.

Backup codes

After confirming setup, you receive 10 single-use backup codes. They are the only way to access your account if you lose your authenticator device. Use "Copy all codes" and save them in a password manager or other secure location.

The codes are not shown again after you close this screen.

To generate a new set: with 2FA active, click "Regenerate backup codes" and enter your current authenticator code to confirm. The previous set is immediately invalidated.

If you lose your authenticator device and have no backup codes, you cannot recover access to your account.

Removing 2FA

Click "Remove two-factor authentication," then enter your current authenticator code or a backup code to confirm. The change is recorded in the audit log.

Active sessions

The sessions list shows the browser, operating system, approximate location, and last-active time for each signed-in session. Your current device is labeled "This device."

To revoke a session, click "Remove" on any row that is not your current device. The session is immediately invalidated. Revoke sessions you do not recognize, or any session from a shared or old device.

The list header shows how many sessions are currently active.

Connected accounts

If you signed up with Google or GitHub, that provider appears here. You can disconnect it only if at least one other sign-in method remains on your account. The "Disconnect" button is disabled when it is your only connected method.

If your organization uses SSO, sign-in is managed through your identity provider. Contact your workspace owner for SSO configuration details.

2FA and SSO

When SSO is active for your organization, your identity provider controls authentication, including any MFA requirement. Your IdP's MFA policy takes precedence over individual TOTP 2FA set up in ReframeUI. The two operate independently.

To enforce MFA across your whole organization, configure it at the IdP level. Requiring each member to opt in individually does not guarantee full coverage.

SSO configuration is available to workspace owners via Organization Settings, then Security (Pro plan).

For roles, API keys, and data isolation, see Security and Access. For how 2FA and session events are recorded, see Audit Log.