Skip to content
Dialogue
Features
Account Security

Account Security

Dialogue accounts are optional — the app works fully offline without one. When you do create an account for sync and collaboration, Dialogue provides strong security features to protect it.

Authentication

Accounts use email and password authentication with JWT tokens. Passwords are hashed server-side with a strong one-way hash before storage.

Access tokens are short-lived and automatically refreshed. Refresh tokens can be revoked.

Two-Factor Authentication (TOTP)

You can enable time-based one-time password (TOTP) two-factor authentication on your account. This adds a second factor to every login.

Setting Up TOTP

  1. Go to Security Settings (on the web) or Account Settings (on macOS)
  2. Enable TOTP and scan the QR code with your authenticator app (e.g., 1Password, Authy, Google Authenticator)
  3. Enter the confirmation code to activate
  4. Save your backup codes in a secure location

Logging In with TOTP

When TOTP is enabled, after entering your email and password you’ll be prompted for the 6-digit code from your authenticator app. You can also use a backup code if you’ve lost access to your authenticator.

Passkeys (WebAuthn)

Dialogue supports WebAuthn passkeys as a second factor. Passkeys use your device’s biometric sensor (Touch ID, Face ID) or a hardware security key.

Setting Up a Passkey

  1. Go to Security Settings
  2. Click Register Passkey
  3. Follow your browser or operating system’s prompt to create the credential
  4. The passkey is stored on your device and linked to your account

Logging In with a Passkey

When passkeys are registered on your account, you can use them as a second factor after entering your password. On macOS, this integrates with the system passkey prompt.

Backup Codes

When you enable TOTP, Dialogue generates a set of one-time backup codes. Each code can be used exactly once as a substitute for your TOTP code if you lose access to your authenticator app. Store these securely.

Session Management

  • Access tokens expire after a short period and are refreshed automatically
  • You can sign out from any device to invalidate that session
  • Disabling sync reverts to a local-only mode with a new device-bound key
Document SharingWeb App