Documentation
Sign inGet started
Get started
Guides
API Reference
SDKs & CLI
Knowledge Base
Changelog

Login, password & MFA

Your Bird account is protected by your password, optional multi-factor authentication (MFA), and session controls you manage yourself. This page covers the everyday tasks: changing your password, turning on MFA, and checking where you're signed in. For the technical contract behind API access, see Authentication & API keys.

Signing in

You sign in to the Bird dashboard with your email address and password, or with a connected Google or GitHub account. If MFA is enabled on your account, you'll be asked for a second factor — a code from your authenticator app, a code sent by SMS, or a recovery code — before the session starts.

Your password

Passwords must be at least 12 characters. There's no maximum length and no arbitrary complexity rules — a long passphrase works fine. Bird also checks new passwords against known data-breach lists and rejects ones that have appeared in a breach, so if a password is refused as compromised, it has been exposed somewhere before; pick a different one.
  • Change your password under your profile's Security settings in the dashboard. You'll need your current password.
  • Forgot it? Use the Forgot password link on the login page. Bird emails you a reset link that's valid for a short window and works only once.
Resetting your password signs you out everywhere: all of your active sessions are invalidated, so anyone holding an old session — including someone who shouldn't be — has to log in again with the new password.

Multi-factor authentication (MFA)

MFA adds a second check at login so a stolen password alone isn't enough to get into your account. Bird supports two factor types:
  • Authenticator app (TOTP) — six-digit codes from any standard authenticator app (Google Authenticator, 1Password, Authy, and similar). This is the recommended option.
  • SMS codes — a six-digit code sent to your phone. Available in supported countries.

Enabling an authenticator app

  1. Open your profile's Security settings in the dashboard.
  2. Choose to add an authenticator app. Bird shows a QR code (and the secret as text, if you prefer to type it).
  3. Scan the QR code with your authenticator app, then enter the six-digit code it generates to confirm.
When you enable MFA for the first time, Bird gives you a set of recovery codes. Save them somewhere safe — a password manager or printed copy. Each code works once and gets you into your account if you lose your phone. You can regenerate the set from the same Security settings at any time; regenerating invalidates all previous codes.

Removing a factor

You can remove an enrolled factor from the same Security settings. If you remove your last verified factor, MFA is switched off for your account entirely — logins go back to password only, so only do this deliberately.

Social login (Google & GitHub)

You can sign up for and sign in to Bird with a Google or GitHub account instead of a password. If a social account's verified email matches an existing Bird account, signing in links the two — and Bird emails the account owner so an unexpected link doesn't go unnoticed. You can also connect or disconnect Google and GitHub from your existing account under your profile's Security settings.

Active sessions

Your profile's Sessions page in the dashboard lists everywhere you're currently signed in — each session with its device/browser details, and your current session marked. If you see a session you don't recognize, sign it out from that page; you can also sign out all other sessions in one click. A signed-out session is invalid immediately.
Sessions also expire on their own: after roughly two days without activity, and after two weeks at the longest regardless of activity.

Security notification emails

Bird emails you when something security-relevant changes on your account, so unexpected activity is visible even if you weren't the one acting:
  • Password changed — sent after a password change or reset.
  • MFA enabled — sent when two-factor authentication is first enabled on your account.
  • Social account linked — sent when a Google or GitHub identity is connected to your account.
If you receive one of these and didn't make the change, reset your password immediately and review your active sessions and the audit log.

Related