# Security The **Security** tab in Settings centralizes everything related to your sign-in, sessions, and the credentials Finora stores on your behalf. ## Password management If you signed up with email and password, the Security tab lets you: 1. **Change your password.** Enter the current password, then a new one (12+ characters, letters and digits). 2. **Reset by email** if you've forgotten it — request a reset link from the sign-in page. A few rules: * Minimum 12 characters * Must include letters and digits * Stored hashed, never in plain text — even Finora staff can't read your password * Never logged or shown back to you If you use SSO only, the password section reads *"Managed by your identity provider"* and is read-only. ## Active sessions The Security tab lists your currently active sessions: * Device and browser * When the session was last active * Approximate location (best-effort, based on IP) Click **Revoke** next to any session to sign that device out. The next request from that session will fail and require a fresh sign-in. > **Session length:** Finora sessions last 7 days by default. After 7 days you'll need to sign in again. Revoking a session here invalidates it immediately on every device using that session. ## Revoking everything at once If you've lost a device or suspect something's wrong, click **Revoke all sessions except current**. Every other device you've signed in with is signed out, and you stay signed in on the device you're using right now. ## Stored provider credentials The provider API keys you've saved (OpenAI, Anthropic, AWS, Cursor, Google Cloud) are stored encrypted in a secure vault. They're never shown back to you in the browser, and they're only used to read your billing data — never to make API calls or change anything in your provider account. When you remove a provider connection from **Settings → API Keys**, the credential is deleted from the vault. ## Encryption in transit Every Finora connection is over HTTPS / TLS. Your data is encrypted on the wire between your browser and Finora. ## Rate limiting To protect everyone using Finora, requests are rate-limited per user. If you hit a rate limit, you'll see a brief error and a retry hint. Normal usage never hits these limits — they exist to stop runaway automated abuse. ## Two-factor authentication Finora doesn't have its own 2FA in v1.0. The strongest path today is to use Microsoft or Google SSO and enable MFA at your identity provider — Finora honors that MFA at sign-in. Native 2FA in Finora is on the roadmap. ## Reporting a vulnerability Email [**support@finora.services**](mailto:support@finora.services) with the subject `Security report`. We acknowledge within 24 hours. Please don't disclose publicly until we've had a chance to triage and patch. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.finora.services/account/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.