Account security
Five steps, one afternoon
Most account takeovers in 2026 happen through credential stuffing or SIM-swap: both fully preventable with the five steps below. Goldenhour uses Clerk for authentication so most of this is "use the security features Clerk provides." Worth one focused afternoon.
01
Use a real password manager
1Password / Bitwarden / iCloud Keychain / Apple Passwords. Generate a unique 20+ character password for goldenhour. Never reuse the password from any other service: credential-stuffing attacks are the most common compromise vector.
02
Turn on 2FA today
Settings → Security → Two-factor authentication. Use a TOTP app (Authy, Google Authenticator, 1Password's built-in) rather than SMS: SMS-based 2FA is bypassable via SIM-swap attacks. Save the backup codes immediately into your password manager.
03
Lock down the email on file
If your email gets compromised, an attacker can reset your goldenhour password via the recovery flow. Apply 2FA + strong password to your Gmail / iCloud / Proton inbox. Treat the email as critical infrastructure.
04
Phone-number protection
Call your mobile carrier + set a port-out PIN. SIM-swap attacks are the #1 vector for high-value account takeovers in 2026. A 6-digit PIN on your mobile account stops 95% of attempts.
05
Audit-log review
Once a month, glance at Settings → Audit log. Look for anything that wasn't you: unusual login times, settings changes you don't remember, exports you didn't initiate. Catches an in-progress compromise faster than waiting for visible damage.
If something's already wrong
Compromise response
- 01Email support@goldenhourhq.com from a known-good email. Subject: "Account compromise: pause outbound."
- 02We pause SMS + email + payment processing on your account within the hour. This prevents damage to your reputation while you regain access.
- 03We walk you through Clerk's account-recovery flow + verify identity through a different channel (text-back from your number on file).
- 04Review the audit log together to see what was done during the unauthorized window. Anything that needs to be reverted, we revert.
Why this matters
A goldenhour account is a higher-value target than most SaaS accounts: it has your client list (which is a recruitable customer base for a competitor) + your payment-processing access (which can be misused) + your SMS sender reputation (which a spammer can burn through in an afternoon). Spend the afternoon.
FAQ
- Does goldenhour support 2FA?
- Yes, via Clerk's built-in 2FA. Settings → Security in the dashboard surfaces the toggle. Supports TOTP (Google Authenticator / Authy / 1Password) + SMS backup codes. We strongly recommend turning it on within the first week of signup.
- What if I lose my phone with 2FA on it?
- Clerk shows you backup codes when you enable 2FA: save them in a password manager. If you lose both the phone and the backup codes, you can recover via the email on file (a slow but deliberate recovery path that requires real proof of identity).
- Can teammates see each other's logins?
- Each teammate has their own Clerk identity + their own 2FA. The audit log records who-did-what so you can verify activity by individual. Don't share logins; create proper teammate accounts even for occasional collaborators.
- What happens if my account is compromised?
- Email support@goldenhourhq.com from a known-good account immediately. We pause outbound SMS + email to prevent damage to your reputation, and we walk you through password reset + 2FA re-enablement. The audit log shows you exactly what was done during the unauthorized window.