The Account settings page covers identity + access:

Email - used for login + notifications.
Password - bcrypt-hashed; change rotates the hash but does not invalidate other sessions.
Two-factor authentication (TOTP) - strongly recommended. Add via Google Authenticator, 1Password, or any TOTP app.

After enabling 2FA

Every login requires the 6-digit code. We don't store the secret in plaintext - it's encrypted at rest. If you lose the seed, contact support; recovery requires identity verification.

Email changes

Email change requires verification of the new address before the switch goes live. Logins stay valid on the old address until then.

Session management

Active sessions are visible on the settings page. Revoke any session you don't recognize.