Account & security

Authenticator app (TOTP) is more secure because codes are generated offline on your device. Email codes are easier to set up. Either is much better than no 2FA.

No. Your account email is permanent. If you need a different email, the only path is to delete the account and sign up again with the new address.

Yes. Valid Email Checker lets you enable both methods independently. With both on, the sign-in prompt defaults to the authenticator app with a Use Email Instead link, giving you a fallback channel if your phone is unreachable.

No. Account deletion physically removes auth, profile, credits, sessions, and 2FA settings in the same transaction. Backups are kept for disaster recovery only and are never restored to undo a user-initiated deletion. Sign up fresh with the same email if you want back in.

Yes. The signup and login pages both have a Continue with Google option that creates or authenticates the account via Google OAuth.

Permanently delete your Valid Email Checker account from Account Settings → Profile. Removes all data, credits, history, and subscriptions. Confirm by typing DELETE. Cannot be undone.

City and country come from IP geolocation via ipinfo.io. Country is usually right; city is approximate. Residential IPs map well (~85%), mobile and VPN traffic much less so. Treat the field as a rough indicator, not GPS coordinates.

Passwords are hashed via Supabase Auth (which uses bcrypt). We never store plain text. Sessions use signed JWTs. 2FA + password manager + Google SSO are all available for stronger account security.

Account Settings → Security → Change Password. Enter current password, then new password (min 8 characters), then confirm. No email round-trip needed.

Account Settings → Security, click the enabled 2FA method, type DISABLE (case-sensitive) in the confirmation, and 2FA is removed.

Turn on 2FA from Account → Security. You can use any TOTP app (Google Authenticator, Authy, 1Password, Bitwarden) or have the codes emailed to you.

If you see a session you do not recognize, change your password, enable 2FA, terminate the rogue session from Account Settings → Security, then email support@validemailchecker.com with the row details. We pull the full server-side history and review.

Click "Forgot password" on the login page. We send a reset link to your account email. The link works for one hour and can only be used once.

Account Settings → Security → Active Sessions. Shows your current session plus terminated past sessions (device, browser, OS, location, IP).

Valid Email Checker uses a single-active-session model — signing in on a new device automatically signs you out of the previous one. To force-log-out, just sign in fresh from your trusted device.

Enable the authenticator-app method first while email 2FA is still active, confirm a TOTP code, then disable email 2FA from the same Security tab. This avoids the brief window where you have no 2FA on at all.

Auth, profile, sessions, credits, 2FA, and API keys go in the same second you confirm deletion. Verification result rows and uploaded CSV files persist for data_retention_days (default 15 days) before the GDPR cleanup job physically purges them.

Use one of the backup codes you saved when enabling 2FA. Each code works once. If you have no backup codes, email support@validemailchecker.com for manual identity verification.

Update your name, phone, address, and control which notification emails you receive (verification complete, payment receipts, low-balance alerts). Your account email cannot be changed.

Change your password, enable 2FA via authenticator app or email, and review active sessions. Only one session is active at a time — new logins terminate previous ones.

Can't sign in? Wrong password, missing 2FA, locked out, or seeing unexpected logout? Each symptom mapped to its cause, with the recovery path that actually works in the current code.

Reset email never arrived? Reset link says 'expired'? Set a new password but old one still works? Each symptom mapped to its actual cause and the right next step.

Backup codes are one-time recovery codes generated when you enable 2FA. Use them to sign in if you lose access to your authenticator. Save them somewhere safe and offline.

Each backup code is single-use. When you have burned through them, sign in normally with your authenticator, disable and re-enable 2FA, and a fresh set of 10 codes is minted. Do not wait until you are locked out to regenerate.

The Active Sessions list at Account Settings → Security shows every device that has ever signed into your Valid Email Checker account — device name, browser, OS, IP, city, and country. Locations come from ipinfo.io geolocation against the session IP.

Account deletion runs the delete_user_account RPC which removes auth records, profile, integrations, API keys, login history, and 2FA settings immediately. Verification results queue for GDPR cleanup and are physically purged within 15 days.

You can't. Valid Email Checker shows backup codes exactly once — at the moment you enable authenticator-app 2FA. They are stored hashed and never re-displayed. If you lost them, the path is to disable and re-enable 2FA, which mints a fresh set.

VEC records every login attempt server-side in the login_history table but does not yet expose a Login History page in the dashboard. The closest user-facing view is Account Settings → Security → Active Sessions, which shows current and terminated sessions.

Valid Email Checker re-prompts for your 2FA code on high-risk actions — saving payment processor settings, large credit operations, irreversible changes — even when you are already signed in. The fresh proof closes a hijacked-session attack window.

Repeated wrong codes on the 2FA verification step trigger a 15-minute lock after 5 failed attempts. The lock applies per account, not per IP. Wait it out or use a backup code; resetting the password does not bypass the 2FA lockout.

VEC tags a successful login as suspicious internally when it comes from a device name we have not seen in your recent login history. Country and subnet changes also trigger a security email. The flag drives alerting, not blocking.

The handle-password-reset function returns success whether or not the email matches a real account (intentional, for privacy). If it does match, the email goes out within seconds. Spam folders, mistyped addresses, and corporate filters are the usual culprits when nothing arrives.