Password, 2FA & sessions.

Change your password, turn on two-factor, and sign devices out. One thing to know first: there are no backup codes yet, so choose your authenticator carefully.

Everything on Settings → Security, and one warning worth reading before you turn two-factor on.

Changing your password

Enter your current password, then a new one of at least 8 characters. That's the whole flow.

If you signed up with Google or LinkedIn you don't have a password to change — you sign in through them, and their security settings are what protect your account.

Two-factor authentication

Two-factor means that even if someone has your password, they can't get in without your phone. On a tool that holds your competitive intelligence and your API keys, it's worth the ninety seconds.

1

Hit “Enable 2FA”

We show you a QR code and the secret behind it.

2

Scan it with an authenticator app

Google Authenticator, 1Password, Authy, Bitwarden — any of them. Can't scan? Type the secret in by hand instead; it's shown right under the code.

3

Enter the 6-digit code

Your app generates a fresh one every thirty seconds. Type the current one and hit Verify & enable.

From then on, signing in asks for a code after your password. If the code is rejected, it's almost always because the one you typed has just expired — wait for the next one.

There are no backup codes

// READ THIS BEFORE YOU ENABLE 2FA

ScoutRival doesn't issue recovery codes yet. If you lose your authenticator app, you cannot get back into your account on your own — you'll need to contact support and prove who you are.

So before you turn it on, do one of these:

  • Use an authenticator that syncs — 1Password, Bitwarden and Authy all back your codes up to the cloud, so a lost phone isn't a lost account. This is the easy answer.
  • Or save the secret. The text string shown next to the QR code is the key. Put it in your password manager and you can re-add ScoutRival to a new authenticator any time.

Recovery codes are on our list. Until they land, the two workarounds above are what stands between you and a support ticket.

Active sessions

Every device signed into your account is listed — browser, operating system, and country. Your current one is marked this device.

Anything you don't recognise, hit Revoke. That signs it out immediately. If you're revoking something suspicious, change your password afterwards too — revoking a session doesn't stop someone who still knows your password from signing back in.

Where your API keys live

If you've connected your own AI provider under AI Models, here's what happens to that key:

  • It's encrypted before it's stored, using AES-256-GCM.
  • It's kept separately from the rest of your account data, in a store only our servers can read.
  • It is never sent back to your browser, and never shown again after you paste it. The app only ever displays a masked version — the first few characters and the last four.
  • It's used only to call the provider you connected it to, for the tasks you routed to it.

Disconnect deletes the key immediately and un-routes it from everything. Generation falls back to ScoutRival's included AI.

The same encryption protects your WordPress application password and your Google Search Console connection.

Still stuck?
Contact support