We strongly recommend enabling multi-factor authentication (MFA) on your Relm Pro account. MFA adds a second verification step beyond your password — even if your credentials are stolen, an attacker can't sign in without your second factor.
Supported factors
Relm supports several second factors:
- TOTP authenticator app (any standard authenticator — password manager, dedicated authenticator app, etc.) — recommended.
- Passkey / WebAuthn — biometric or hardware key (Touch ID, Face ID, hardware security keys, OS-level passkey sync).
- SMS — supported but discouraged because of SIM-swap risk.
- Backup codes — for when your primary factor is unavailable.
You can enable multiple factors and use whichever is convenient at sign-in.
How to enable
- Go to Settings → Security.
- Click Enable two-factor authentication.
- Pick a primary factor (TOTP recommended).
- Follow the setup flow — typically scan a QR code with your authenticator app and confirm a one-time code.
- Save your backup codes — they're shown once. Store them in a password manager.
After enable, sign-in requires both your password (or magic link) and the second factor.
Backup codes
Backup codes are one-time use. They're your fallback when your primary factor is unavailable (lost phone, broken authenticator). Each Relm account gets ~10 backup codes; using one consumes it.
If you run low, regenerate from Settings → Security → Regenerate backup codes. Old codes are invalidated.
Passkeys
Passkeys are the most convenient and most secure factor. On a modern Mac, iPhone, or Android device, your platform's keychain typically syncs the passkey across your devices automatically. To set up: pick Passkey in the MFA setup flow and follow the prompts.
Hardware security keys also work.
Excel add-in & MFA
The Excel add-in uses device-link sign-in, which redirects to your browser. MFA happens in the browser, not in Excel — every factor is fully supported. This is intentional; we never want MFA prompts inside a non-browser context.
Recovering when you lose your second factor
Three paths:
- Use a backup code at sign-in.
- Use a different MFA factor if you have multiple set up.
- Contact support as the absolute last resort. We require additional identity verification (work email + corporate domain proof, or a video call) before disabling MFA on an account.
Org enforcement
Enterprise customers can require MFA across their organization. Contact your account contact to enable. Once enforced, members without MFA are prompted to set it up at next sign-in.