> ## Documentation Index > Fetch the complete documentation index at: https://archie.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Security > Manage your password, two-factor authentication, active sessions, and connected devices for your Archie account. The security page is where you manage how you sign in and which sessions are active. Take a moment after signing up to enable two-factor authentication and review the session list. ## Changing your password Open **Account → Security** and click **Change password**. Enter your current password, then the new one. Archie signs out all other active sessions when the password changes — you stay signed in on the device where you made the change. If you signed up with Google or GitHub and never set an Archie-native password, the password section shows a **Set password** option instead. ## Two-factor authentication Two-factor authentication (2FA) adds a code from an authenticator app on top of your password. Enable it from **Account → Security → Two-factor authentication**. You scan a QR code with an authenticator app (Authy, 1Password, Google Authenticator), then enter a code to confirm. Archie generates 10 backup codes — store them in a password manager. Each code works once, in case you lose access to your authenticator. Multi-factor authentication is required on all Enterprise plans. On other plans it is optional but recommended. ## Active sessions The sessions list shows every device currently signed in to your account: device, browser, location (approximate, IP-based), and last activity. Sign out of any session you do not recognize by clicking **Sign out** next to it. **Sign out all** signs out every session including the current one. ## Connected accounts OAuth providers connected to your account (Google, GitHub) appear here with disconnect buttons. You cannot disconnect the only sign-in method on your account — set a password first, or connect another provider. ## API keys API keys for Archie itself are scoped per project, not per account, and live in [project settings](/features/backend/settings/api-keys). The security page does not manage them. ## Suspicious activity If you receive a notification about an unfamiliar sign-in, change your password immediately and sign out all other sessions. Then contact [support](/introduction/community-support/contacting-support) if you suspect your account has been accessed without your permission.