Step-Up Authentication (Re-entering Your Password)

What Step-Up Auth Is

When you try to cancel, change, resume, or alter your plan, the dashboard prompts you for your password — even though you're already signed in. This is step-up authentication. It's a second-factor check that protects irreversible or costly actions if your session cookie were ever captured.

Which Actions Require It

• Cancel subscription — frees the billing obligation and stops renewal.
• Change plan (upgrade / downgrade) — modifies what you're billed for.
• Resume subscription — re-activates a paused plan and its billing.
• Deactivate a device — frees a device slot on your license.
• Change email address, change password, disable TOTP, delete account — identity-level changes.

Read-only actions (viewing invoices, downloading receipts, reading cues) never prompt for step-up.

How Long Does a Step-Up Last?

After a successful password confirm, the step-up timer stays valid for 10 minutes. Additional destructive actions within that window don't re-prompt. After 10 minutes, the next destructive action re-prompts.

"NO_PASSWORD_SET" Error

If you signed up via Google, Apple, or GitHub OAuth and never set a password, the step-up flow can't challenge you. The modal shows a "Set a password first" button that takes you to Security → Add password. Set one, then return and retry the destructive action.

"ACCOUNT_LOCKED" Error

After five incorrect password attempts in a row, the account briefly locks (15 minutes) to prevent brute-force probes. Wait it out — no support contact needed. If you legitimately don't remember your password, use Forgot password on the login screen to reset.

Why Not Just TOTP?

TOTP is optional per account. Step-up via password is the baseline that every account has, which is why it's the default. If you have TOTP enabled, disabling TOTP itself requires step-up (you can't lower your own security bar without a check).

Something Off?

If a destructive action fires without prompting for step-up, or if the password modal doesn't appear when it should, write in — this would be a security bug and we'd like to hear about it immediately.