🛡 SECURITY & GDPR

Two-factor authentication and session management

Reduce unauthorized access risk with 2FA, device management and session termination practices.

Updated:

A password alone is not enough. Two-factor authentication (2FA) protects accounts from the vast majority of external attacks; device and session hygiene handle the internal side.

Even if an attacker has your password, they cannot reach your phone. That small barrier is the single highest-ROI step in account security.

2FA options

  • Authenticator app (recommended): Google Authenticator, Authy, 1Password.
  • SMS codes: risky if your phone number is compromised; second choice.
  • Hardware key (YubiKey): strong security for enterprise use.
  • Backup codes: for phone loss recovery.
  • Two methods at once: reduces lockout risk.

Active sessions

Account settings list active devices. If you see a device you do not recognize, sign out of all sessions and change your password. Minutes of effort, immediate cut on potential intrusion.

Device hygiene

Never sign in on shared or café computers. On mobile, biometric lock should be active and panel tabs should not be left open.

Account security is not won in a single moment; it is the result of small daily choices. 2FA and session discipline are the spine of those choices.

Phishing resistance

Buaze will never ask for your password by email or Slack. If something looks off, do not click — follow the steps in the incident response guide.

The 2FA and session practices in this guide qualify as technical security measures under GDPR/KVKK frameworks. They are key elements of the technical side of customer-data protection responsibility.

Kontrol listesi / Checklist

  • 2FA enabled on every owner and admin account.
  • Backup codes stored safely.
  • Monthly active session check.
  • No sign-in on shared devices.
  • Mobile biometric lock active.
  • Annual phishing simulation.
  • Departed staff sessions force-ended.

SSS / FAQ

What if I lose my 2FA phone?

Backup codes can sign you in. Without them, our support team can recover access via KYC; the process takes a few hours.

Is SMS 2FA enough?

Weaker than authenticator apps but far better than password-only. Move to authenticator if possible.

I have two accounts on the same device — a problem?

No. Browser profiles or private windows prevent confusion. Separating work and personal clearly is a healthy practice.

How long does a session last?

The default expires after a reasonable window. Sensitive actions may require additional re-authentication.

Did this not solve it?

Write to our support team — we reply within 2 hours. Our median reply time is 12 minutes.

Contact support

In this category

SEE ALL

GDPR/KVKK consent, customer data and retention

Manage consent, marketing permission and anonymous feedback correctly in QR flows.

Read

Security best practices for the dashboard

Keep the account safe with JWT hygiene, role-based access, team cleanup and export controls.

Read

Exports, PII and device hygiene

A practical hygiene guide for safely sharing CSVs and reports that contain customer data.

Read