Zenovay
Free10 minutesbeginner

Security Best Practices

Essential security practices to protect your Zenovay account and keep your analytics data safe.

securitybest-practicesprotectionsafety
Last updated: February 7, 2026

Protecting your Zenovay account is crucial for safeguarding your analytics data and maintaining trust with your users. Follow these best practices to keep your account secure.

Essential Security Checklist

Complete these steps to secure your account:

  • Use a strong, unique password
  • Enable multi-factor authentication
  • Save backup codes securely
  • Verify your email address
  • Review active sessions regularly
  • Enable security alerts
  • Keep recovery options updated

Password Security

Creating Strong Passwords

PracticeWhy It Matters
At least 12 charactersLonger = harder to crack
Mix of character typesMore combinations to guess
No personal informationCan't be researched
Unique to ZenovayBreach elsewhere won't affect you
Use a password managerRemembers complex passwords

Password Don'ts

  • Don't reuse passwords across sites
  • Don't share your password with anyone
  • Don't store passwords in plain text
  • Don't use common words or patterns
  • Don't include personal information

Password Managers

Use a reputable password manager like 1Password, Bitwarden, or Dashlane to generate and store strong, unique passwords.

Multi-Factor Authentication

MFA Priority

Enable MFA methods in this order of preference:

  1. Security keys (WebAuthn) - Most secure, phishing-resistant
  2. Authenticator apps (TOTP) - Very secure, widely supported

MFA Best Practices

  • Enable at least one MFA method
  • Consider multiple methods for redundancy
  • Keep backup codes in a secure location
  • Test your MFA setup regularly
  • Never share MFA codes with anyone

Zenovay will never ask for your MFA codes via email, phone, or chat. Such requests are always phishing attempts.

Backup Code Management

Storing Backup Codes

Recommended:

  • Password manager (encrypted)
  • Encrypted file on secure storage
  • Physical safe or safety deposit box

Not recommended:

  • Plain text files on your computer
  • Emails to yourself
  • Unencrypted cloud storage
  • Sticky notes

Backup Code Maintenance

  • Keep at least 5 unused codes
  • Regenerate when running low
  • Update storage after regenerating
  • Test codes periodically

Session Security

Automatic Inactivity Timeout

Your session will automatically time out after 30 minutes of inactivity to protect your account if you step away from your computer. Here's how it works:

DetailDescription
Timeout period30 minutes of no activity
WarningA notification appears 5 minutes before timeout
Activity that resets timerClicking, scrolling, typing, or mouse movement
After timeoutYou're redirected to the login page

What Happens When Your Session Expires

1

Warning Notification

A notification appears letting you know your session will expire in 5 minutes. Click anywhere on the page to stay logged in.

2

Redirect to Login

If no activity is detected, you're automatically redirected to the login page.

3

Log In Again

Enter your credentials (and MFA if enabled) to start a new session.

4

Return to Your Page

After logging in, you're taken back to the page you were on before the timeout.

Stay Logged In

To prevent your session from expiring, simply click anywhere on the page, scroll, type, or move your mouse. Any of these actions resets the 30-minute timer.

Signing Out

When you sign out of Zenovay, the sign-out process runs across all Zenovay services (app, auth, docs, help, etc.) to ensure you're fully logged out everywhere. Always use the Sign Out button rather than just closing your browser.

Active Session Management

  • Review sessions weekly
  • Sign out sessions you don't recognize
  • Sign out from all sessions periodically
  • Never stay logged in on shared computers

Login Security

  • Only log in on trusted networks
  • Use private browsing on public computers
  • Always sign out from shared devices
  • Enable login alerts

Account Lockout Protection

Zenovay automatically protects your account against unauthorized login attempts. If someone tries to guess your password, the system will temporarily lock your account.

How Lockout Works

After 10 consecutive failed login attempts, your account is temporarily locked. You'll see a warning when you have 1-2 attempts remaining so you can double-check your credentials.

Progressive Lockout Durations

Repeated lockouts result in progressively longer wait times:

LockoutDuration
1st lockout5 minutes
2nd lockout15 minutes
3rd lockout30 minutes
4th and beyond60 minutes

Account lockout is enforced on the server side. Clearing your browser cookies or switching browsers will not bypass the lockout. This ensures your account stays protected even against automated attacks.

Network-Level Rate Limiting

In addition to account lockout, Zenovay uses network-level rate limiting to block automated attacks. Rapid login attempts from the same network are slowed down or blocked before they can reach your account.

Unlocking Your Account

If your account is locked, you have three options:

  1. Wait for the lockout period to expire, then try again
  2. Reset your password using the "Forgot password" link, which unlocks your account immediately
  3. Contact support at support@zenovay.com if you're unable to regain access

Avoid Lockouts

If you're having trouble remembering your password, use the password reset option before you run out of attempts. Consider using a password manager to avoid this situation in the future.

Recognizing Threats

Phishing Attacks

Red flags to watch for:

  • Emails asking for password or MFA codes
  • Urgent messages creating panic
  • Links to fake login pages
  • Requests from "Zenovay support" via unusual channels

Verifying Legitimacy

  • Check email sender addresses carefully
  • Hover over links before clicking
  • Go directly to app.zenovay.com (don't click links)
  • Contact support through official channels if unsure

What Zenovay Will Never Do

  • Ask for your password
  • Request MFA codes via email/phone
  • Threaten immediate account deletion
  • Ask you to install remote access software

Team Security

For Team Owners

  • Audit team members regularly
  • Remove inactive members promptly
  • Use role-based access control
  • Require MFA for all team members (Enterprise)
  • Monitor team activity logs

For Team Members

  • Use your own account (don't share)
  • Report suspicious activity to your admin
  • Follow your organization's security policies
  • Keep your credentials confidential

API Security

API Key Best Practices

  • Don't embed API keys in client-side code
  • Rotate API keys periodically
  • Use separate keys for different integrations
  • Revoke unused keys immediately
  • Monitor API usage for anomalies

Secure API Usage

  • Always use HTTPS
  • Never log API keys
  • Store keys in environment variables
  • Use key management services when possible

Device Security

Securing Your Devices

  • Keep operating systems updated
  • Use antivirus/antimalware software
  • Enable device encryption
  • Use screen locks (PIN, biometrics)
  • Enable "Find My Device" features

Browser Security

  • Keep browsers updated
  • Use reputable browsers
  • Be cautious with extensions
  • Clear cookies on shared computers
  • Use private browsing when appropriate

Network Security

Safe Browsing

  • Avoid public WiFi for sensitive access
  • Use VPN on untrusted networks
  • Ensure HTTPS (look for lock icon)
  • Don't ignore browser security warnings

Corporate Networks

  • Follow your IT department's policies
  • Use company-approved VPN
  • Report security incidents promptly

Monitoring Your Account

Regular Security Checks

CheckFrequency
Active sessionsWeekly
Login historyWeekly
MFA settingsMonthly
Backup codes countMonthly
Team members (if owner)Monthly
API keysQuarterly

Security Alerts

Enable all security alerts:

  • New device logins
  • New location logins
  • Failed login attempts
  • Password changes
  • MFA changes

Responding to Security Incidents

If You Suspect Compromise

1

Change Password

Reset your password immediately.

2

Sign Out All Sessions

Terminate all active sessions.

3

Reset MFA

Disable and re-enable MFA with fresh setup.

4

Regenerate Backup Codes

Create new backup codes.

5

Review Account Activity

Check for unauthorized changes.

6

Revoke API Keys

Regenerate all API keys.

7

Contact Support

Report the incident for investigation.

Enterprise Security Features

Enterprise Plan

Additional security for Enterprise accounts:

  • SSO/SAML integration: Centralized authentication
  • Mandatory MFA: Enforce MFA organization-wide
  • IP restrictions: Limit access by IP address
  • Session policies: Custom timeout and duration
  • Audit logging: Comprehensive activity logs
  • Device management: Require managed devices
  • SOC 2 compliance: Enterprise security standards

Reporting Security Issues

Found a security vulnerability? Contact us:

  • Email: support@zenovay.com
  • Subject: "Security Report - [Brief Description]"
  • We respond to reports within 48 hours
  • Responsible disclosure appreciated

Summary

CategoryKey Actions
PasswordUnique, strong, use manager
MFAEnable, prefer security keys/TOTP
BackupStore codes securely
Sessions30-min inactivity timeout, review weekly, sign out unused
Lockout10 failed attempts triggers lock, progressive durations
AlertsEnable all security notifications
VigilanceKnow phishing signs, verify requests

Next Steps

Related articles

Account Recovery Options

Learn how to recover access to your Zenovay account if you've lost your password, MFA device, or access.

Backup Codes for MFA

Understand how to generate, use, and securely store backup codes for account recovery.

Creating Your Account

Step-by-step guide to creating a Zenovay account, including sign-up options and initial setup.

Was this article helpful?