Login & sessions
This page covers how you get into Kohana and how to keep your active sessions under control. There's no password anywhere, Kohana doesn't use them.
Ways to sign in
- Magic link. Enter your email and we send a one-time link. Click it and you're in. The link expires quickly and works once.
- Passkey. Sign in with your fingerprint, face, or security key. Nothing to type, and phishing-resistant. See Passkeys.
Magic links never ask for a code
A genuine Kohana magic link signs you in directly. If an email asks you to "reply with your code" or enter credentials on another site, it's a phishing attempt, so don't act on it.
Trusted devices
After you complete 2FA, you can mark a device as trusted so you're not asked for a second factor on that device every single time. Only do this on devices you own and keep locked. You can revoke a device's trust at any time, which forces 2FA again on its next sign-in.
Managing active sessions
A session is an active sign-in on one browser or device. From Account → Security → Sessions you can:
- See every active session, with device, approximate location, and last activity.
- Sign out any individual session you don't recognise.
- Sign out everywhere to end every session at once.
See a session you don't recognise?
Sign it out immediately, then review your 2FA and sign out everywhere to be safe. If anything looks wrong with your funds, contact support straight away.
Automatic sign-out
For your protection, sessions expire after a period of inactivity, and long-idle sessions are closed automatically, so an unattended tab can't stay logged in forever. You'll simply be asked to sign in again.
Can't get in?
Since there's no password, getting back in is just getting back to your email, a fresh magic link signs you in. If you've also lost your 2FA device, use a recovery code, and if those are gone too, contact support to restore access.