Account & security

Sign-in options, mandatory two-factor authentication, account lockout, password rules, connected accounts, and account deletion.

This page covers staff (dashboard) accounts. Customers sign in to the portal separately, with their Cfx.re account only; staff and customer accounts are fully independent, even for the same person.

Signing in

Dashboard accounts support two methods:

  • Email and password
  • OAuth: Google, Discord, GitHub, or Cfx.re

If you sign up with OAuth and the provider's email already belongs to an existing account, the sign-in is refused: log in to the existing account first and link the provider from your profile instead.

Two-factor authentication

2FA is mandatory for accounts that have a password. After signing in with email and password, the dashboard takes you through 2FA setup before you can continue. Accounts that only use OAuth do not need 2FA (the provider handles their security).

  • Authenticator app (TOTP): scan the QR code and confirm with a 6-digit code.
  • Recovery codes: 10 single-use backup codes are generated when 2FA is activated. You can regenerate them at any time, which invalidates the previous set.
  • Email fallback: if your authenticator is unavailable, request a one-time code by email. Codes expire after 5 minutes, and requesting a new one invalidates the previous code (3 requests per 15 minutes).
  • Disabling 2FA requires your current password.

Account lockout and rate limits

After 5 failed login attempts within 15 minutes, the account is locked for the remainder of that window; the login page tells you how many minutes remain. Login, registration, and password-reset endpoints are also rate-limited per IP address.

Passwords

  • At least 8 characters, with an uppercase letter, a lowercase letter, and a digit.
  • Changing your password requires the current one and signs out your other dashboard sessions.
  • OAuth-only accounts can add a password from the profile settings (no current password needed the first time).
  • Forgot password: the reset link expires after 10 minutes and works once. Resetting signs you out everywhere.

Changing your email

Requesting an email change requires your password. A verification link is sent to the new address and stays valid for 24 hours; your current email keeps working until the link is clicked.

Connected accounts

You can link Google, Discord, GitHub, and Cfx.re to one account and use any of them to sign in:

  • A given provider identity can only be linked to one Joely account.
  • Unlinking requires your password (if set) and is refused when it would leave the account with no way to sign in.

Sessions

Sessions last 30 days, with at most 10 active sessions per account (opening an 11th closes the oldest). Logging out only ends the current session.

Deleting your account

From the profile settings, type your email address to confirm (plus your password if you have one). Deletion is immediate and permanent, and removes every project you own, including all of its tickets, messages, and settings. Projects where you are a member but not the owner are unaffected.

Cookies & Privacy

We use cookies to make your experience on this website better.

Learn more