Account security settings
Use password controls, two-factor authentication, access logs, active sessions, and account deletion safely.
Account security controls protect your sign-in, not workspace membership
Use Account security settings when you need to change how your ALLO account signs in, review where the account is active, remove sessions from devices you no longer trust, turn on two-factor authentication, or delete the account completely.
This area is personal. It belongs to the signed-in account, not to one workspace. Signing out a device does not remove a teammate from a workspace. Turning on two-factor authentication does not make you a workspace admin. Deleting an account is much larger than leaving a workspace, treat it as an irreversible account-level action.
For workspace-wide security rules, such as allowed email domains, file extension restrictions, and required two-factor authentication, use Workspace security settings.
Availability
| Item | Details |
|---|---|
| Available on | All plans. Some security requirements can also be controlled by a workspace policy. |
| Available for | Web app and desktop app. Mobile can sign in and receive notifications, but some security administration is best handled on web or desktop. |
| Who can use it | The signed-in account owner. |
| Admin required | No for personal security settings. Workspace admin permission is required for workspace-level security policies. |
| Best place to start | Account menu → Profile Settings → Security. |
Open account security settings
Open your account menu from the top-right profile/avatar area, choose Profile Settings, then open Security. This is the same personal settings area where you can review password controls, access logs, active sessions, two-factor authentication, and destructive account actions when they are available.
If you cannot open Profile Settings because sign-in fails, start with When you can't log in. If you can sign in but cannot open a specific workspace, project, or canvas, use When you can't access work before changing personal security settings.
What the Security page controls
| Control | Use it when | What to remember |
|---|---|---|
| Password | You want to set a password, change an existing password, or recover password login. | Accounts controlled by Google, Apple, Microsoft, SSO, or another identity provider may not expose local password editing. |
| Two-factor authentication | You want an authenticator app code in addition to normal sign-in. | Save backup codes somewhere safe. They are for recovery when your authenticator device is unavailable. |
| Access logs | You want to review recent sign-in activity. | Location and device details are useful hints, not perfect proof. VPNs and corporate networks can make locations look different. |
| Active sessions | You want to see signed-in browsers, desktop apps, and mobile apps. | Use Manage active sessions before deleting an account or changing workspace membership. |
| Sign out all devices | You want every active session to require sign-in again. | This includes the current device. Use it only when you are ready to sign in again from a trusted device. |
| Delete account | You want to permanently remove your ALLO account. | This is not the same as leaving one workspace. Read Delete your account first. |
Password and sign-in method
Password controls are available when ALLO owns the password for your account. If your account signs in with email and password, Security can let you change the password. If your account does not have a saved password yet, ALLO may send a setup or reset email so you can create one.
If your account signs in through Google, Apple, Microsoft, SSO, or another managed identity provider, ALLO may hide local password controls. In that case, reset or change the password through the provider. ALLO cannot bypass provider-owned security rules.
Changing a password does not automatically remove every signed-in session. After a credential change, review Manage active sessions and sign out devices you no longer trust.
Two-factor authentication
Two-factor authentication adds a second step to sign-in. ALLO uses an authenticator-app style setup: scan the QR code or enter the setup key manually, then confirm the current code from the authenticator app. When backup codes are shown, save them outside ALLO. They are meant for emergency access if your phone is lost or the authenticator app is unavailable.
Before enabling two-factor authentication, make sure your email address is verified and you can still receive account recovery emails. If you use SSO or a company-managed identity provider, your organization may control multi-factor authentication outside ALLO.
Some workspaces can require two-factor authentication for members. If a workspace enforces that policy, ALLO may ask you to set up two-factor authentication before continuing into that workspace. That requirement is configured by a workspace admin in Workspace security settings.
Access logs
Access logs help you answer "was that me?" after a suspicious sign-in, a support investigation, or a device change. They show recent sign-in activity with details such as time, IP address, device or browser, and approximate location.
Use access logs as evidence, not as a courtroom transcript. A VPN, office network, mobile carrier, airport Wi-Fi, or remote browser session can make the location look surprising. The strongest signal is the combination of time, device, browser, and whether you remember signing in.
If a sign-in still looks unfamiliar, change your password or provider credentials, turn on two-factor authentication if available, and sign out unknown sessions.
Active sessions and device-limit warnings
Active sessions show where your ALLO account is signed in. Use them to remove an old browser, a lost phone, a shared computer, or a desktop app session that belongs to a device you no longer use.
If ALLO shows a device-limit warning, treat it as a session cleanup problem first. Open Security from a trusted device, review active sessions, and sign out old devices.
For the full workflow, read Manage active sessions.
Sign out all devices
Use Sign out all devices when you changed a password, lost a device, used a shared computer, or suspect the account is signed in somewhere unsafe. This ends active sessions, including the current one, so be ready to sign in again from a device and sign-in method you trust.
If you only want to leave the current browser or desktop app, use normal sign out from the account menu. See Sign out of ALLO.
Account deletion belongs at the end
Deleting an account removes the account and can also affect workspaces where you are an admin. It is not a shortcut for fixing a wrong session, a duplicate invite, a billing question, or one workspace you no longer need.
Before deleting an account, sign out old sessions, transfer ownership where needed, export or save anything your team requires, resolve billing responsibility, and check whether you should instead leave or delete one workspace. Read Delete your account and Leave or delete a workspace before continuing.
Troubleshooting security settings
| Symptom | Likely cause | What to do |
|---|---|---|
| Password controls are missing | A managed identity provider may own sign-in, or account policy may hide local password editing. | Use the provider's password reset path, or ask your organization admin which sign-in method owns the account. |
| Two-factor setup is blocked | Email verification, SSO ownership, or a temporary account state may be preventing setup. | Verify your email, refresh the Security page, and contact support if the option remains unavailable. |
| A location in access logs looks wrong | VPN, office routing, mobile network, or travel can change the apparent location. | Compare device, browser, and time before deciding it is suspicious. |
| A device keeps reappearing after sign out | That device may be signing in again, or the session list may not have refreshed yet. | Refresh the list, then change credentials if the session returns unexpectedly. |
| You used Sign out all devices and got signed out here too | The action ends every active session, including the current one. | Sign in again from a trusted device. |
| Delete account is not visible | Account deletion can be locked by account or workspace policy. | Contact support if you need to remove the account and cannot see the action. |
Related articles
- Workspace security settings
- Change profile settings
- Sign out of ALLO
- Manage active sessions
- Delete your account
- When you can't log in