Password & Multi-Factor Authentication (MFA)

Your Rebased sign-in is protected by two things: a password and multi-factor authentication (MFA). MFA is mandatory — you cannot use the app without it — because a single stolen password is not enough to take over an account that holds your accounting records, payroll, and bank data.

This page covers everything you can do from the sign-in screen and from your Personal profile:

Change your password (when you are signed in)
Reset your password (when you are not signed in)
Set up MFA for the first time
Regenerate recovery codes
Reset MFA — admin path
Reset MFA — self-service (24-hour) path

Change your password

If you know your current password and are signed in:

Sign in as usual (including MFA).
Open Personal profile from the sidebar user card.
Under Security, choose Change password and follow the prompts.

Reset your password

If you cannot sign in because you do not know your password:

On the sign-in screen, choose Forgot password?.
Enter your Rebased email and choose Send reset link.
Check your inbox. Rebased sends an email from our notifications sender with a Reset password link.
Click the link. You will land on a page where you can set a new password. If the link has expired or you opened it in a different browser session, request a new one.
After you save the new password, Rebased signs you out and sends you back to the sign-in screen. Sign in normally — you will still be asked for your MFA code.

Notes:

The reset link is single-use and expires after a short period. Request a new one if it stops working.
Resetting your password does not reset MFA — you still need your authenticator (or a recovery code).
If the email does not arrive, check your spam folder and that you are using the exact email on your account. For privacy Rebased shows the same “email sent” message whether or not the address is on file.

Set up MFA

MFA is required for every user. The first time you sign in (or after your MFA has been reset), Rebased takes you to the MFA setup screen:

Install an authenticator app on your phone if you don’t have one. Good choices: 1Password, Authy, Google Authenticator, Microsoft Authenticator.
Scan the QR code Rebased shows you, or paste the secret key into the app manually.
Enter the 6-digit code your authenticator generates to prove it is working.
Rebased shows you a list of recovery codes. Save these somewhere safe — a password manager is ideal. Each code can be used once if you ever lose access to your authenticator app.

From then on, every sign-in asks for a fresh 6-digit code from your authenticator.

Regenerate recovery codes

If you have used some of your codes, or think they may have been seen by someone else:

Go to Personal profile → Security.
Choose Regenerate recovery codes.
Enter a current 6-digit code from your authenticator to confirm it’s really you.
Save the new codes. Old codes immediately stop working.

Reset MFA — admin path

Use this when a team member has lost their phone or reinstalled their authenticator app and cannot sign in, but at least one other owner or admin of the same business is still able to sign in.

Who can do this? Any owner or admin of the business, resetting MFA for any other active member (not themselves, and not the business owner).

The admin signs in and goes to Settings → Team.
Select the affected team member to open their detail page.
Choose Reset MFA and confirm.
Rebased deletes the user’s TOTP factor and invalidates any unused recovery codes. The next time that user signs in they are taken to the MFA setup screen and can enrol a fresh authenticator app.

Guardrails:

An admin cannot reset their own MFA from this screen — use the self-service path instead.
The business owner’s MFA cannot be reset this way. If the owner has lost access, they must use the self-service path.
The team member’s password is unchanged. They still need to know their password to sign in.

Reset MFA — self-service (24-hour) path

Use this when there is nobody else who can reset your MFA for you — for example, you are the sole owner of your business and you have lost both your phone and all your recovery codes.

Because this path is the last line of defence against an attacker who has only your password, Rebased enforces a deliberate 24-hour cooling-off period before it takes effect. While the timer runs, the legitimate account holder has a chance to log in from any remembered device and cancel the reset.

Starting a reset

On the sign-in screen, enter your email and password as usual.
When Rebased asks for your MFA code, choose Lost your device and recovery codes?.
Enter the email on your Rebased account and choose Send reset link.
You will see a confirmation message. For privacy, Rebased shows the same message whether or not the email is on file.
If the email is on file, Rebased sends you an email with two links:
- Confirm reset — only works 24 hours after the request.
- Cancel request — works immediately.

What happens in the next 24 hours

You can sign in normally with your password and MFA at any time during the window — the pending reset does not block sign-in.
Every time you open the dashboard, a banner appears warning that an MFA reset has been requested for your account, with a This wasn’t me — cancel reset button. Click it immediately if you did not start this reset. This is what makes the 24-hour window safe: a stolen password is not enough to silently disable your MFA.
You can also use the Cancel request link in the email.

Confirming the reset after 24 hours

After at least 24 hours have elapsed, click the Confirm reset link in the email (or open /mfa-reset?token=…).
Rebased verifies the request is still valid, deletes your TOTP factor and recovery codes, and clears the MFA flag on your account.
Sign in with your password — you will be taken to the MFA setup screen and can enrol a fresh authenticator.