Skip to main content

Account security

Manage how you sign in: your password, two-factor authentication, and password-reset email.

To open this tab, click your avatar at the bottom of the left sidebar → User preferencesSecurity. Security settings are stored on your user account and are shared across all your workspaces.

What's on this tab

The Security tab gives you three controls:

  • Password reset email — send yourself a password-reset link.
  • Two-factor authentication (2FA) — set up or disable 2FA for your account.
  • Change password — change your password directly from inside Harmony. (This option is hidden if your account signs in via Google — change your Google password instead.)

Change password

If your account signs in with a Harmony password:

  1. Open User preferences → Security.
  2. Enter your Current Password.
  3. Enter your New Password and Confirm New Password.
  4. Click Save Changes.

If you've forgotten your current password, use the password-reset email option instead, then sign back in with the new one.

Two-factor authentication (2FA)

2FA adds a second layer of security to your account. Even if someone steals your password, they can't sign in without the verification code generated by your mobile authenticator app.

Enable 2FA

  1. Click Enable 2FA in the right-hand panel.
  2. Confirm in the dialog by clicking the dark Enable 2FA button.
  3. The setup modal opens with a QR code and a list of backup codes.
  4. Open your authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password, etc.) and scan the QR code.
  5. The app generates a 6-digit code — type it into the verification field.
  6. Copy the backup codes and store them somewhere safe (e.g. your password manager). They are the only way to regain access if you lose the device with the authenticator app.
  7. Click Verify to activate 2FA.

After 2FA is enabled, you'll be asked for a 6-digit code from your authenticator every time you start a new session.

Disable 2FA

Click Disable 2FA on the Security tab and confirm. Once disabled, sign-in only requires your password — make sure you still have a strong, unique password before doing this.

What's not on this tab

  • Active sessions (other devices currently signed in) live on the Sessions tab.
  • Sign-in method (password vs. Google) is determined when your account is created — if you need to switch, contact support.
  • Workspace-level security (SSO/SAML, SCIM, audit logs) is configured separately as part of an enterprise contract, not from the personal Security tab.