> ## Documentation Index
> Fetch the complete documentation index at: https://help.chainbook.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Secure your Chainbook account with passwords and passkeys

Chainbook provides multiple security options to protect your account and data.

## Authentication Options

<CardGroup cols={2}>
  <Card title="Password" icon="key">
    Traditional email and password authentication.
  </Card>

  <Card title="Passkeys" icon="fingerprint">
    Modern passwordless authentication using biometrics or security keys.
  </Card>
</CardGroup>

## Password Security

### Setting a Strong Password

Your password should be:

* At least 8 characters long
* Include uppercase and lowercase letters
* Include numbers
* Include special characters

<Tip>
  Use a password manager to generate and store strong, unique passwords.
</Tip>

### Changing Your Password

<Steps>
  <Step title="Go to Settings">
    Navigate to **Settings** from the sidebar.
  </Step>

  <Step title="Find Password section">
    Locate the **Security** or **Password** section.
  </Step>

  <Step title="Enter current password">
    Verify your identity by entering your current password.
  </Step>

  <Step title="Enter new password">
    Type your new password twice to confirm.
  </Step>

  <Step title="Save changes">
    Click **Update Password**.

    <Check>
      Your password is updated. Use it on your next sign-in.
    </Check>
  </Step>
</Steps>

### Forgot Password

If you forgot your password:

1. Go to the sign-in page
2. Click **Forgot Password**
3. Enter your email address
4. Check your email for reset instructions
5. Click the link and set a new password

<Note>
  Password reset links expire after 1 hour for security.
</Note>

## Passkeys

Passkeys offer passwordless authentication using:

* Face ID or Touch ID on Apple devices
* Windows Hello on Windows devices
* Fingerprint sensors on Android devices
* Hardware security keys (YubiKey, etc.)

### Benefits of Passkeys

<CardGroup cols={2}>
  <Card title="Phishing Resistant" icon="shield">
    Passkeys can't be phished or stolen like passwords.
  </Card>

  <Card title="Convenient" icon="bolt">
    Sign in with a quick biometric scan.
  </Card>

  <Card title="Cross-Device" icon="sync">
    Passkeys sync securely across your devices.
  </Card>

  <Card title="No Password to Remember" icon="brain">
    Eliminate the need for password memorization.
  </Card>
</CardGroup>

### Adding a Passkey

<Steps>
  <Step title="Go to Settings">
    Navigate to **Settings** → **Security** or **Passkeys**.
  </Step>

  <Step title="Click Add Passkey">
    Click the **Add Passkey** button.
  </Step>

  <Step title="Authenticate">
    Your device prompts you to authenticate:

    * Use Face ID, Touch ID, or fingerprint
    * Use Windows Hello
    * Insert your security key

    <Check>
      Your passkey is registered and ready to use.
    </Check>
  </Step>
</Steps>

### Using Passkeys to Sign In

1. Go to the sign-in page
2. Click **Sign in with Passkey**
3. Authenticate with your biometric or security key
4. You're signed in immediately

### Managing Passkeys

View and manage your passkeys:

1. Go to **Settings** → **Security**
2. See list of registered passkeys
3. Each passkey shows:
   * Device type
   * When it was added
   * Last used date

### Removing a Passkey

To remove a passkey:

1. Go to **Settings** → **Security**
2. Find the passkey you want to remove
3. Click **Remove**
4. Confirm the removal

<Warning>
  If you remove your last passkey and don't have a password set, you'll need to set a password first to maintain account access.
</Warning>

## Account Recovery

### If You Have a Password

Use the **Forgot Password** flow to reset via email.

### If You Only Have Passkeys

Passkeys are tied to your devices. If you lose access to all devices:

1. Try signing in on a device where your passkey synced
2. Use your iCloud, Google, or Microsoft account recovery
3. Contact support as a last resort

<Tip>
  Set up both a password and passkeys for maximum flexibility and security.
</Tip>

## Session Management

### Active Sessions

View where your account is signed in:

1. Go to **Settings** → **Security**
2. Find **Active Sessions**
3. See list of devices and browsers

Each session shows:

* Device type and browser
* Location (approximate)
* Last activity time

### Signing Out Other Sessions

To sign out a suspicious or old session:

1. Find the session in the list
2. Click **Sign Out** next to it
3. That session is immediately terminated

<Warning>
  If you see sessions you don't recognize, sign them out and change your password immediately.
</Warning>

## Security Best Practices

<AccordionGroup>
  <Accordion title="Use a password manager">
    Password managers like 1Password, Bitwarden, or Apple Keychain:

    * Generate strong, unique passwords
    * Securely store your credentials
    * Auto-fill login forms
    * Sync across devices
  </Accordion>

  <Accordion title="Enable passkeys when possible">
    Passkeys are more secure than passwords because:

    * They can't be guessed or cracked
    * They're resistant to phishing
    * They don't work on fake websites
  </Accordion>

  <Accordion title="Review sessions regularly">
    Periodically check your active sessions:

    * Sign out sessions you don't recognize
    * Sign out old devices you no longer use
    * Report suspicious activity to support
  </Accordion>

  <Accordion title="Keep your email secure">
    Your email is used for password resets:

    * Use a strong, unique email password
    * Enable two-factor authentication on your email
    * Don't share email access with others
  </Accordion>

  <Accordion title="Be careful with shared computers">
    On shared or public computers:

    * Always sign out when done
    * Don't save passwords in the browser
    * Use private/incognito browsing
    * Consider using passkeys instead of typing passwords
  </Accordion>
</AccordionGroup>

## Data Security

### Encryption

* **In transit**: All data encrypted with TLS 1.3
* **At rest**: Database encrypted with AES-256
* **Passwords**: Hashed with bcrypt (never stored in plain text)

### Access Control

* Only you and invited collaborators can see your data
* Chainbook staff cannot access your data without permission
* No data is shared with third parties

### Infrastructure

* Hosted on enterprise-grade cloud infrastructure
* Regular security audits and penetration testing
* 24/7 monitoring for suspicious activity

## Reporting Security Issues

If you discover a security vulnerability:

1. Email **[security@chainbook.app](mailto:security@chainbook.app)**
2. Describe the issue in detail
3. Include steps to reproduce if possible
4. We'll respond within 24 hours

<Note>
  We appreciate responsible disclosure and may offer rewards for significant findings.
</Note>

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="Is two-factor authentication (2FA) available?">
    Passkeys provide strong authentication similar to 2FA. Traditional TOTP-based 2FA is on our roadmap.
  </Accordion>

  <Accordion title="Can I use both password and passkeys?">
    Yes, you can have both enabled. Use whichever is convenient when signing in.
  </Accordion>

  <Accordion title="What if I lose my phone with my passkey?">
    If your passkeys sync via iCloud, Google, or Microsoft, access them from another device. Otherwise, use your password to sign in.
  </Accordion>

  <Accordion title="Are my wallet private keys safe?">
    Chainbook never asks for or stores private keys. We only track public wallet addresses using publicly available blockchain data.
  </Accordion>
</AccordionGroup>
