Protect your account

Your Falix account holds every server you own — and its password is also your SFTP login. Here's how to lock it down: a strong password, two-factor authentication, passkeys, and knowing what your active sessions page can do.

Your Falix account is the master key to every server you own. If someone gets into it, they get into all of them — files, databases, the lot. The good news: locking it down takes about ten minutes, and this guide covers the whole job — a strong password, two-factor authentication, passkeys, and the sessions page that shows you who's logged in.

At a glance
You need your Falix account
Plan any — all of this is free
Time ten minutes
Where your Profile pages: password and 2FA under Settings, plus Sessions and Passkeys

Your password does double duty

Start here, because this one's easy to miss: your Falix account password is also your SFTP password. The same password you log in with is what an SFTP client uses to reach your server files (see Connecting over SFTP). There's no separate SFTP credential — so a weak account password is a weak file-transfer password too.

That makes the basics matter more than usual:

  • Long and unique. A password you don't use anywhere else, long enough that it isn't guessable. A password manager makes this painless.
  • Signed up with Google or Discord? Then you may not have a password set at all — and you'll need one before SFTP works. Set it on your profile settings; the SFTP page will also nudge you to it if it's missing.

⚠️ Heads up: Changing your password signs you out on every device and issues a fresh session everywhere. That's on purpose — if you ever suspect someone else is in, changing your password is the fastest way to kick them out of all sessions at once.

Turn on two-factor authentication

Two-factor authentication (2FA) means a password alone isn't enough to log in — you also need a code from your phone. It's the single biggest upgrade to your account's safety.

Falix uses authenticator-app 2FA (the standard TOTP kind — Google Authenticator, Authy, 1Password, and the like). To turn it on, open the 2FA setup from your profile:

  1. Scan the QR code with your authenticator app — or type the shown secret in by hand.
  2. Enter the 6-digit code the app generates to confirm it's linked.
  3. Falix shows you a backup recovery code — a one-time string, displayed once. Save it somewhere safe (not on the same phone). It's how you get back in if you lose the authenticator.

That's it — from now on, logging in asks for your app's current code. You can turn 2FA off again from the same profile area if you ever need to.

💡 Tip: Store the backup code in your password manager the moment it's shown. If you lose your phone and your backup code, getting back in becomes a support problem instead of a ten-second one.

Passkeys — the passwordless option

Falix also supports passkeys (the WebAuthn standard): a fingerprint, face unlock, or a hardware security key stands in for typing a password. Add one from the Passkeys page in your profile — you give it a name, and your device does the rest. Each passkey shows when it was added and last used, and you can remove one anytime. Passkeys are a strong, phishing-resistant way in; add one as a second method even if you keep app-based 2FA.

What 2FA actually protects

Once 2FA is on, it doesn't only guard the login screen. Falix re-asks for your code before sensitive actions, so even someone at an already-open session can't quietly do damage. The ones worth knowing:

Sensitive action With 2FA on…
Adding or removing an SSH key (SFTP) asks for your 2FA code
Any sub-user change (inviting, editing, removing) asks for your 2FA code
Requesting account deletion asks for your 2FA code

The theme: anything that changes who can reach your servers gets a second check. This is exactly why turning 2FA on is worth the ten minutes — it hardens the actions that matter most.

Check who's logged in

Your profile has a Sessions page that lists every place your account is currently signed in. For each session it shows the device (desktop, mobile, tablet), the browser, an approximate location, and the IP address — with a badge marking the one you're using right now.

Two controls keep you in charge:

  • Terminate a session — sign out one specific device. Useful if you spot a login you don't recognise, or you left yourself signed in on a shared computer. (You can't end your current session here — use normal logout for that.)
  • Sign out everywhere else — one button ends every session except the one you're on. Pair it with a password change if you think your account was touched.

🎯 Good to know: Seeing a session you don't recognise is your cue to act: terminate it, sign out everywhere else, then change your password (which also ends all sessions) and make sure 2FA is on.

A five-minute security checklist

  1. Set a long, unique password (remember: it's your SFTP password too).
  2. Turn on 2FA and save the backup code off-device.
  3. Add a passkey as a second method.
  4. Glance at your Sessions page — end anything you don't recognise.
  5. Never put your password or 2FA codes in a Discord message, a repo, or a support ticket. Real staff never ask for them.

Troubleshooting

  • SFTP rejects my password — your SFTP password is your account password, and you must have one set. If you signed in with Google/Discord and never chose one, set it in your profile settings. See Connecting over SFTP.
  • Lost my authenticator — use the backup recovery code you saved when enabling 2FA. No backup code either? That's a support recovery, and it takes longer — which is the whole reason to save the code.
  • An action keeps asking for a 2FA code — that's the protection working; sensitive changes (SSH keys, sub-users, account deletion) re-check on purpose. Enter your current app code.
  • A change logged me out everywhere — changing your password ends all sessions by design. Just log back in.

Next steps

Was this guide helpful?