# Account security

Source: https://docs.settlemint.com/docs/operators/user-management/account-security
Manage password, two-factor authentication, passkeys, active sessions, PIN, and recovery codes from the DALP account security page.



DALP account security settings protect your signed-in account and the wallet-verification checks attached to it. Use **Account** > **Security** to change login controls, review active browser sessions, and manage the PIN or recovery-code controls used when your account confirms wallet-sensitive actions.

The cards shown on the page depend on platform configuration and on your current wallet-verification setup. Two-factor authentication and passkeys appear when the deployment enforces two-factor authentication. Recovery codes appear after the PIN or signing setup step that applies to your account.

## What you can manage [#what-you-can-manage]

| Security control          | What it protects                                                                 | When you see it                                                   | What you can do                                                   |
| ------------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ----------------------------------------------------------------- |
| Password                  | Username-and-password sign-in.                                                   | Always on the account security page.                              | Change your current password.                                     |
| Two-factor authentication | Sign-in with an authenticator-app code after password authentication.            | When two-factor authentication is enabled for DALP.               | Enable, verify, save backup codes, or disable with your password. |
| Passkeys                  | Account WebAuthn credentials for phishing-resistant sign-in.                     | When two-factor authentication is enabled for DALP.               | Add a passkey or delete an existing passkey from your account.    |
| Active sessions           | Browser sessions that are currently signed in to your account.                   | Always on the account security page.                              | Revoke an individual session token, or revoke all other sessions. |
| PIN                       | Wallet-sensitive actions that require PIN verification for your account.         | Always on the account security page.                              | Set up or update your PIN.                                        |
| Recovery codes            | Backup access for wallet verification recovery when your signing setup needs it. | After the PIN or signing setup step that applies to your account. | Generate, copy, download, confirm, or regenerate recovery codes.  |

Account passkeys and wallet verification are separate controls. A passkey helps you sign in. A PIN or recovery code helps DALP confirm wallet-sensitive actions after you are already signed in.

## Enable two-factor authentication [#enable-two-factor-authentication]

1. Open **Account** > **Security**.
2. On the **Two-factor authentication** card, select **Enable two-factor authentication**.
3. Enter your current password.
4. Scan the QR code with an authenticator app.
5. Enter the one-time password from the authenticator app.
6. Save the backup codes shown after verification, then select **Done**.

Keep the backup codes somewhere safe. They are shown during setup so you can recover access if the authenticator device is unavailable.

## When two-factor authentication is required [#when-two-factor-authentication-is-required]

When a DALP deployment requires two-factor authentication, signed-in accounts without two-factor authentication are sent to the **Two-factor setup** page before continuing to protected workspace pages. The setup page uses the same authenticator-app flow as the **Two-factor authentication** card. After setup succeeds, DALP returns you to the requested workspace page or to the workspace home page.

The onboarding flow can still show deployment or organisation setup pages before two-factor authentication is configured. Wallet-sensitive signing actions remain gated by wallet verification controls, so completing account two-factor authentication does not replace the PIN or recovery-code checks used for those actions.

To disable two-factor authentication later, use the same card and confirm the change with your password.

## Manage passkeys [#manage-passkeys]

Use the **Passkeys** card to add or remove passkeys for your account. A listed passkey shows its name and creation date. Remove passkeys you no longer recognise or use.

Adding a passkey starts the browser WebAuthn prompt for the current device or authenticator. Deleting a passkey removes that credential from your account, but it does not change your PIN, recovery codes, or wallet-signing setup.

## Review sessions and recovery options [#review-sessions-and-recovery-options]

Use **Active sessions** to check where your account is signed in. Revoke a listed session when that browser should no longer have access, or revoke all other sessions while keeping your current session active.

Use **PIN** when your account needs to set up or update PIN verification for wallet-sensitive actions.

Use **Recovery codes** when you need fresh backup codes for wallet verification recovery. In split-onboarding flows, finish the prompted PIN setup before expecting the recovery-code card to appear. If recovery codes were already confirmed during onboarding, regeneration requires your password.

## Become ready for protected actions [#become-ready-for-protected-actions]

Protected browser-session actions are the operations that need wallet verification before DALP releases the request to signing. Examples include asset lifecycle actions, transfer controls, data-feed updates, and other blockchain write operations that open a verification dialog.

A signed-in account can be provisioned, API-ready, or transaction-ready. These states are separate:

| Account state     | What it means                                                                                                             | What to do next                                                                                                                |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| Provisioned       | DALP has created or attached the account, organization membership, wallet, and identity state needed for the workspace.   | You can sign in and appear in the organization, but protected actions still need wallet security setup.                        |
| API-ready         | The account or machine credential can call the APIs it has permission to use.                                             | Use the API with the assigned scopes and roles. Interactive browser signing still needs the transaction-ready checks below.    |
| Transaction-ready | The signed-in browser session has a wallet verification method and confirmed recovery codes for wallet-sensitive actions. | Continue with protected actions that open the verification dialog, then enter the requested PIN, OTP, or unused recovery code. |

Before a protected browser-session action can continue, DALP checks both wallet-security requirements:

| Readiness check | What DALP checks                                                                                 | How to resolve it                                                                                                                |
| --------------- | ------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- |
| Signing method  | Your account has a wallet verification method for signing, such as PIN or authenticator-app OTP. | Follow the PIN or verification setup prompt shown by the verification dialog, or open **Account** > **Security** and set up PIN. |
| Recovery codes  | Your account has confirmed recovery codes for wallet verification recovery.                      | Copy, download, and confirm the recovery codes when DALP prompts for them.                                                       |

If a provisioned or API-ready user starts a protected browser action before wallet security is complete, DALP opens the missing setup step instead of the normal verification dialog. Finish the prompted security step first. DALP refreshes your account state after setup and then returns you to the verification flow. If the action still fails, reopen the action and enter the current PIN, OTP, or unused recovery code requested by the dialog.

API-key sessions do not use the interactive wallet verification dialog. Treat API keys as separate machine credentials with their own access controls.

## Related guides [#related-guides]

* [Authentication](/docs/compliance-security/security/authentication)
* [Wallet verification](/docs/compliance-security/security/wallet-verification)
* [User onboarding](/docs/operators/user-management/user-onboarding)
* [Participants hub](/docs/operators/user-management/participants-hub)