There are a few things you can do to keep your Headway account secure:
- Create a strong password: Use a unique password for Headway and never share it.
- Enable two-factor authentication (2FA): Add a second layer of verification to your Headway account.
- Secure your email: Ensure the email address linked to Headway also uses a strong password and has 2FA enabled.
About two-factor authentication (2FA)
Two-factor authentication (2FA) protects your account by requiring a secondary verification method during login. This ensures that even if your password is compromised, unauthorized users cannot access your data.
Providers: 2FA is required for all provider accounts.
Clients: 2FA is currently optional, but highly recommended.
Available verification methods
You can enroll in multiple methods to ensure you always have access to your account.
| Verification method | Description | Requirements |
|---|---|---|
| Authenticator app | Generates a 6-digit code every 30 seconds. | Use an app like Google Authenticator, Ente Auth, or a password manager. Works offline. |
| Phone (text or call) | Sends a 6-digit code via SMS or automated call. | US phone numbers (+1) only. Non-US numbers are not supported. |
| Fingerprint or face | Uses the biometric authenticator on your device (Face ID, Touch ID, etc.). | Tied to the specific device or password manager where it was set up. |
| Security key | A small USB or NFC device (e.g., Yubikey). | Can also be set up through most password managers. |
| Recovery code | A one-time-use backup code. | Generated after you add your first 2FA method. |
Biometric privacy: Biometric data is never sent to Headway; it is validated only on your device and never leaves your hardware.
Setting up 2FA
Setting up 2FA for clients
- Visit the Settings page on headway.co
- Click the Enroll button next to the 2FA method you'd like to add
- Follow the prompts to complete set up
Setting up 2FA for providers
- Log into your account on the provider portal
- Navigate to Settings, and click the Login tab
- Click the Enroll button next to the 2FA method you'd like to add
- Follow the prompts to complete set up
2FA set-up video walkthroughs
For detailed videos on how to set up each 2FA method, click the links below:
- One-time Password (TOTP) with macOS Firefox
- One-time Password (TOTP) with macOS Chrome
- Passkey with Proton Pass
- Biometrics with macOS for Firefox
- Biometrics with macOS for Chrome
- Biometrics with Edge
Managing your 2FA settings
Resetting 2FA
If you need to change your 2FA configuration or have lost access to a specific device:
- Clients: Visit the Account page, scroll to Login, and select Reset 2FA. You will be prompted to re-authenticate and set up 2FA again.
-
Providers: If you lose access to your phone or app, contact Headway support. Once an exemption is granted, you have one week to log in, navigate to the Login tab in Settings, and click Reset to update your methods.
Best practices
- Enroll multiple methods: Set up at least two methods (e.g., Authenticator app and Phone) so you have a fallback.
- Store your recovery code: Save a printed copy or a secure digital note of your recovery code. If you use it, we will provide a new one to save.
- International travel: Because phone codes require a US number, ensure you have an Authenticator app or Biometrics active before traveling abroad.
- Switching devices: Before getting a new phone, ensure your Authenticator app is synced or that you have your recovery code ready. You will need to re-enroll biometrics on new hardware.
Troubleshooting
SMS or voice codes not arriving
- Try the alternative: If you chose SMS, try the voice call option.
-
Check device filters:
- iOS: Check Settings > Apps > Messages > Unknown Senders. Ensure Silence Unknown Callers is off in your Phone settings.
- Android: Check Messages > Archived or check Spam protection in settings.
-
Review carrier apps: Apps like AT&T ActiveArmor or Verizon Call Filter can block automated short-codes. Lower the filter level or allowlist verification messages.
Biometrics not appearing at sign-in
Fingerprint or facial recognition is tied to the specific device where you enrolled it. It will not appear when you log in on a different device (e.g., switching from phone to laptop).
- Use another method like Authenticator app or Phone.
- Once logged in, you can enroll the new device's biometrics in your account settings.
Lost access to all methods
If you cannot use your phone, app, or biometrics:
- Use your recovery code: Enter this in the verification field to bypass other methods.
- Contact support: If you have lost your recovery code, contact Headway support for identity verification and account recovery assistance.