Skip to main content

Account Security

Protect your Hunch account with additional security features.

Two-Factor Authentication (2FA)

Add an extra layer of security to your account using time-based one-time passwords (TOTP).

Why Use 2FA?

Two-factor authentication significantly reduces the risk of unauthorized access:

  • Requires both your password and a verification code
  • Protects against phishing attacks
  • Secures your account even if password is compromised

Supported Authenticator Apps

Hunch works with any TOTP-compatible authenticator app:

  • Google Authenticator (iOS / Android)
  • Authy (iOS / Android / Desktop)
  • 1Password (iOS / Android / Desktop)
  • Microsoft Authenticator (iOS / Android)
  • Bitwarden (iOS / Android / Desktop)
  • Any other TOTP app

Setting Up 2FA

  1. Log in to your Hunch dashboard
  2. Navigate to Settings
  3. Scroll to the Two-Factor Authentication section
  4. Click Configure MFA
  5. Scan the QR code with your authenticator app
  6. Enter the 6-digit verification code
  7. Click Verify & Enable

Manual Setup

If you cannot scan the QR code:

  1. Click Can't scan QR code? on the setup screen
  2. A manual entry key will be displayed
  3. Enter this key manually in your authenticator app
  4. Enter the verification code
  5. Click Verify & Enable

Using 2FA

After enabling 2FA:

  1. Enter your email and password as usual
  2. When prompted, open your authenticator app
  3. Enter the 6-digit code shown for Hunch
  4. Complete login

Disabling 2FA

To disable two-factor authentication:

  1. Go to Settings
  2. Navigate to Two-Factor Authentication
  3. Enter your current 6-digit verification code
  4. Click Disable
warning

We recommend keeping 2FA enabled for maximum security. Only disable if absolutely necessary.

Common Issues

Codes not working:

  • Ensure your device time is synchronized
  • Try the next code in sequence

New device setup:

  • Reconfigure MFA from Settings after signing in
  • Keep a second authenticator enrollment path in your internal access process if you require MFA for admins

IP Allowlist

Restrict access to your Hunch dashboard to specific IP addresses.

When to Use IP Allowlist

  • Limit access to office networks
  • Comply with security policies
  • Prevent unauthorized access from unknown locations
  • Add an extra layer of protection

Setting Up IP Allowlist

  1. Go to Settings
  2. Find the IP Allowlist section
  3. Enter an IP address (e.g., 192.168.1.1)
  4. Add a description (optional)
  5. Click Register IP Address

IP Address Formats

FormatExampleDescription
Single IP192.168.1.1Specific address
CIDR Range192.168.1.0/24Network range
IPv62001:db8::1Specific IPv6 address

Managing Allowed IPs

Adding IPs:

  • Enter IP address and optional description
  • Click Add
  • Changes take effect immediately

Removing IPs:

  • Click the trash icon next to the IP
  • Confirm removal
  • Access is revoked immediately

Important Notes

  • If you lock yourself out, contact support
  • Prefer testing allowlists with a second active session before tightening access broadly

Session Management

Email verification

New password-based signups must verify their email before sign-in. If the verification link expires, the user can request a new verification email from the login flow.

Viewing Active Sessions

Your settings page shows recent activity including:

  • Login timestamps
  • IP addresses used
  • Device information

You can revoke:

  • a specific session
  • every other active session

Enterprise session policy

Workspace owners can enforce stronger session policy, including:

  • require SSO
  • allow or block password login
  • enforce a single active session
  • require MFA for admin users
  • set access-token lifetime
  • set idle timeout
  • set refresh-token lifetime
  • restrict login to allowed email domains
  • enforce IP allowlists at the policy layer

For the full enterprise feature set, see Enterprise Auth and Sessions.

Security Recommendations

  1. Enable 2FA - Strongest protection
  2. Use IP Allowlist - Restrict access to known networks
  3. Review sessions - Check for unauthorized access
  4. Use strong passwords - Minimum 12 characters
  5. Use individual accounts - Invite teammates instead of sharing credentials

Password Requirements

  • Minimum 8 characters
  • Mix of uppercase and lowercase
  • Include numbers and symbols
  • Don't reuse passwords from other services
tip

We recommend enabling MFA for all operators, especially anyone with billing, team management, website publishing, or admin access.