Account Security Guide

Your AskBiz account holds sensitive financial intelligence — revenue figures, profit margins, customer data, supplier relationships, cash flow, and API keys that connect to your Shopify, Amazon, and QuickBooks accounts. A compromised AskBiz account is not just an AskBiz problem: an attacker who reads your connected platform tokens could potentially access your ecommerce back-end. Treat your AskBiz account with the same rigour you would your business bank account.

Your AskBiz password should be:

• At least 12 characters long — 16+ is better
• Unique to AskBiz — never reuse a password from another service. If your email provider is breached and you share a password, attackers will try it on every service you use.
• Not based on personal information — avoid your name, company name, birthdate, or pet name
• Complex — mix of uppercase, lowercase, numbers, and symbols

The practical solution is a password manager (1Password, Bitwarden, Dashlane, or Apple Keychain). It generates a random 20-character password, remembers it for you, and autofills it. You only remember one master password.

AskBiz checks new passwords against the HaveIBeenPwned database of known breached credentials and will reject passwords that have appeared in data breaches. If you receive a prompt to change your password, act on it immediately — and change it anywhere else you used the same password.

2FA requires a second piece of evidence to log in — typically a time-based code from your phone. Even if someone has your password, they cannot access your account without this second factor.

Setting up 2FA:

1. Go to Account Settings → Security → Two-Factor Authentication

2. Choose your method:

• Authenticator app (strongly recommended) — Google Authenticator, Authy, or 1Password. These generate codes offline and are not vulnerable to SIM-swap attacks.
• SMS code — sent to your mobile number. More convenient but less secure; a SIM-swap attack can intercept SMS codes.

3. Scan the QR code with your authenticator app, or enter the setup key manually

4. Enter the 6-digit code your app generates to confirm setup

5. Download and store your backup codes — you get 8 single-use codes. Print them or store them in a secure password manager. These are the only way to access your account if you lose your phone.

Important: Never share your 2FA codes with anyone — including anyone claiming to be from AskBiz support. We will never ask for them.

AskBiz tracks every active session — every browser and device where you are currently signed in.

To review sessions:

1. Go to Account Settings → Security → Active Sessions

2. Each session shows: device type, browser, approximate location (city/country), and last active time

3. Click Revoke next to any session you do not recognise

4. Click Sign out all other sessions to instantly invalidate every session except the one you are currently using

What to look for:

• Sessions from countries you have not visited
• Sessions on device types you do not own (e.g. Windows sessions if you only use Mac)
• Sessions that have been active at unusual hours

If you see anything suspicious, revoke all other sessions and change your password immediately.

If you have connected third-party apps or generated API keys, review them regularly:

Connected apps: Account Settings → Security → Connected Applications. Revoke any app you no longer use or do not recognise. Revocation is instant.

API keys: Account Settings → Developer → API Keys. Each key shows its name, creation date, and last used date. Delete keys that are:

• No longer in use (last used > 90 days ago)
• Associated with integrations or team members that are no longer active
• Unrecognised — if you did not create it, delete it and investigate immediately

Rotate active keys every 90 days as a general security hygiene practice.

If you believe someone has accessed your account without authorisation:

1. Change your password immediately — Account Settings → Security → Change Password. Use a new, unique password.

2. Revoke all other sessions — Account Settings → Security → Active Sessions → Sign out all

3. Delete all API keys — Account Settings → Developer → API Keys. Regenerate only the ones you actively need.

4. Email security@askbiz.co — subject line: 'Suspected account compromise'. Include your account email and what you noticed. We will review your access log and assist.

5. Check your email account — most account takeovers start with email access. Secure your email provider first, and enable 2FA there if you have not already.

6. Check connected platforms — log in to Shopify, Amazon, QuickBooks etc. separately and review their own access logs and connected apps.

7. Notify your team — if you are on the Business plan and share the account, let your team members know so they can review their own sessions.

When multiple people access one AskBiz account:

• Each team member must use their own login — do not share credentials
• As account owner, you can see which team members have 2FA enabled from Account Settings → Team → Members. Consider making 2FA mandatory for your team.
• Remove team members promptly when they leave — Account Settings → Team → Remove Member. Access is revoked immediately.
• Apply the least-privilege principle: team members who only need to read reports should not have admin access
• When someone leaves, rotate any API keys they had visibility of