Account security

Vectis holds the write-back credentials for every tool your workspace has connected — your PSA, RMM, backup, and billing systems. A compromised Vectis login is a master key to all of them. MFA is the single biggest reduction in account-takeover risk, so we require it on every operator account. There’s no per-user opt-out.

The first time you sign in after your account is created, you’re routed to an enrollment page. The flow:

1. Open an authenticator app. We recommend 1Password, Authy, or Microsoft Authenticator. Google Authenticator works too. Your IT team’s existing authenticator app is fine.
2. Scan the QR code shown on the enrollment page.
3. Type the 6-digit code the app shows. It refreshes every 30 seconds.
4. Save the 10 recovery codes somewhere safe. Password manager, ideally. Each code works exactly once; use them if you lose access to your authenticator app.

After entering your password, you’ll be asked for a 6-digit code from your authenticator app. If you’ve lost your device, tap “Use a recovery code” and enter one of the codes you saved at enrollment.

After 5 failed code attempts in a 15-minute window we lock your account for the rest of that window. The lockout is per-account, not global — it doesn’t affect your teammates.

There are three tiers of recovery, in order of preference:

1. Use a recovery code. Covers the common case where you stored them in a password manager at enrollment. Each code works once; regenerate a fresh set afterward (below).
2. Ask another admin to reset your MFA. Any admin in your workspace can clear your MFA from Admin → Users. You’ll be forced through enrollment again on your next login.
3. Sole-admin recovery. If you’re the only admin in your workspace AND you’ve lost your phone AND you’ve lost your recovery codes, email Vectis support from the email address on file with Stripe. We verify against your billing record before resetting — this takes a manual round-trip, so the other two tiers are always faster.

Visit Account → Two-factor authentication, enter your current authenticator code, and confirm. A fresh set of 10 codes is issued; any prior codes stop working immediately.

Regenerate after using a recovery code, after storing a code in a place you don’t want it (screenshot, email draft), or anytime the existing codes feel stale.

If your workspace has SSO enabled (Okta, Entra, Google Workspace, JumpCloud), you sign in through your identity provider — Vectis doesn’t prompt for a separate TOTP in that flow, because your IdP is enforcing its own MFA. Recovery-code and reset paths on this page are only relevant for password-login accounts (including the per-tenant break-glass admin).

The end-customer portal (the one your customers log into, not you) has its own separate auth and doesn’t use operator MFA. It’s a different risk profile — a portal user sees their own company’s data, not the keys to your stack.