Security
Two-factor authentication, passkeys, and sessions.
Your Warmbly account is the control panel for every mailbox, campaign, and contact you manage, so keeping it locked down matters. This guide covers the account security tools you control yourself: two-factor authentication, passkeys, and active sessions.
You will find all of these under Settings, then Security. Everything here is about signing in to Warmbly. For authenticating the domains you send from (SPF, DKIM, DMARC), see Deliverability and your individual mailbox settings instead.
How signing in works
Warmbly's sign-in flow has a few steps, and which ones you see depends on how you have secured your account.
A normal password sign-in goes like this:
- Enter your email address.
- Enter your password.
- Enter the 6-digit code we email you to confirm it is really you.
- If you have two-factor authentication turned on, enter a code from your authenticator app.
So with two-factor enabled, a password sign-in uses three separate factors: your password, the emailed code, and your authenticator code.
A passkey sign-in is different. A passkey replaces the password and the emailed code in one step: you pick your passkey, unlock it with your device (Touch ID, Face ID, Windows Hello, or a security key), and you are in. There is no password to type and no email code to wait for.
Passwordless by design
Because a passkey is tied to your device and unlocked with biometrics or a device PIN, signing in with one already proves both "something you have" (the device) and "something you are or know" (the unlock). That is why a passkey sign-in does not also ask for the emailed code.
You can also sign in with Google or Apple if you connected your account that way.
Two-factor authentication (2FA)
Two-factor authentication (also called TOTP) adds a one-time, 6-digit code to every password sign-in. The code is generated by an authenticator app on your phone and changes every few seconds, so even if someone learns your password they cannot get in without your device.
What you need
Any standard authenticator app works, for example:
- Google Authenticator
- 1Password
- Authy
Turning it on
From Settings, then Security, find Two-factor authentication and select Enable 2FA. A short setup wizard walks you through three steps:
- Add the secret. Warmbly shows you a setup secret. Copy it and add it to your authenticator app as a new account. Once it is added, select I've added it.
- Confirm a code. Your authenticator app now shows a rotating 6-digit code. Enter it to prove the app is set up correctly. Warmbly verifies it as soon as you finish typing the six digits.
- Save your recovery codes. Warmbly shows you a set of one-time recovery codes. Save these somewhere safe (a password manager is ideal). You must tick the "I've saved these somewhere safe" box before you can finish.
Recovery codes are shown only once
Your recovery codes are displayed a single time during setup and will not be shown again. Each code works only once. They are your way back in if you ever lose access to your authenticator app, so store them somewhere safe before you close the wizard. You can use the Copy all button to grab them all at once.
The login challenge
After 2FA is on, every password sign-in adds one extra screen. Once you pass the emailed code step, Warmbly asks for your authenticator code on a Two-factor authentication screen.
- Enter the 6-digit code from your authenticator app. It submits automatically once all six digits are in.
- If you do not have your authenticator app, select Use a recovery code and enter one of the codes you saved during setup. Each recovery code works only once.
Turning it off
In Settings, then Security, select Disable next to two-factor authentication. To confirm it is really you, Warmbly asks for a current authenticator code or one of your recovery codes before turning 2FA off.
Disabling 2FA lowers your protection
With 2FA off, your account is protected only by your password plus the emailed code. If you set up 2FA again later, you will get a fresh secret and a new set of recovery codes; any old recovery codes stop working.
Passkeys
A passkey lets you sign in with the same thing you use to unlock your device: Touch ID, Face ID, Windows Hello, or a hardware security key. There is no password to type and no email code to wait for, and there is nothing to phish, because the credential never leaves your device.
Passkeys need a recent browser. Current versions of Chrome, Safari, Edge, and Firefox all support them. If your browser does not, Warmbly tells you on the Security page and you can keep using your password.
Adding a passkey
From Settings, then Security, under Passkeys, select Add a passkey. Your browser or device prompts you to confirm with biometrics, a PIN, or a security key. Once it is created, Warmbly drops you straight into naming it so you can label it something memorable, for example "MacBook Touch ID" or "YubiKey".
You can add more than one passkey, which is useful for covering each device you sign in from.
A passkey that syncs through your platform account (for example an iCloud Keychain or Google Password Manager passkey) is marked Synced, meaning it is available on your other signed-in devices too.
Managing passkeys
Each passkey in the list shows when it was added and when it was last used. You can:
- Rename a passkey with the pencil icon.
- Remove a passkey with the trash icon. You will be asked to confirm, since a removed passkey can no longer be used to sign in.
Signing in with a passkey
On the sign-in screen, enter your email and choose the Passkey option (on supported devices your browser may also offer your passkey automatically as you focus the email field). Confirm with your device, and you are signed in, no password or email code required.
No passkey on this device?
A passkey lives on the device it was created on (unless it is a synced passkey). If you try a passkey on a device that does not have one, Warmbly simply tells you none was found and you can sign in with your password instead, then add a passkey for that device afterward.
Active sessions
A session is a device that is currently signed in to your account. The Sessions area under Settings, then Security lists every active session so you can spot anything you do not recognize.
Each session shows:
- the device, for example the browser and operating system (
Chrome on macOS) - the location it is signed in from, where known
- how you signed in on that device: Email, Google, Apple, or Passkey
- when it was last active
The device you are using right now is tagged This device.
Signing out a session
If you see a session you do not recognize, sign it out:
- Select Sign out next to any session that is not your current device. That device will need to sign in again.
- To clear everything except where you are now, select Sign out other sessions. Every device except this one is signed out.
If something looks wrong
If you spot a session you do not recognize, sign it out, then change your password and make sure two-factor authentication is on. Signing out other sessions is the fastest way to cut off access from a device that should not have it.
Changing your password
Change the password you sign in with from Settings, then Security, under Password. You will be asked for your current password, then a new one. New passwords must be at least 12 characters with upper and lower case and a number. Accounts that only ever sign in with Google, Apple, or a passkey have no password to change.
Changing your password signs out every other device automatically, so it is a complete way to cut off a session you do not recognize. The device you change it on stays signed in.
Sign-in alerts
Warmbly can notify you when your account is accessed from a device you have not used before (a new browser and operating system combination). The alert tells you the device and, where known, the location, with a reminder to change your password and sign out other sessions if it was not you.
Sign-in alerts are a notification category: they appear in your in-app feed by default, and you can also receive them by email. Turn email on under Settings, then Notifications, in the Security section and the Email channel. Your very first sign-in is not alerted, since there is no earlier device to compare against.
Putting it together
For the strongest account protection:
- Add at least one passkey so day-to-day sign-in is both fast and phishing-resistant.
- Turn on two-factor authentication and store your recovery codes in a safe place, so password sign-ins still have a second factor.
- Review your sessions now and then, and sign out anything unfamiliar.