Your reservation data carries sensitive information (ID scans, guest emails, amounts). Heroes ships several optional security layers.
Two-factor authentication (2FA)
Each user can enable 2FA under Profile → Security:
- Authenticator app (Google Authenticator, Authy, 1Password)
- SMS on your verified number
- Recovery codes (10 codes to print)
The manager can enforce 2FA for the whole team under Settings → Security.
Sessions and expiry
A session expires after 12h of inactivity by default. Drop it to 30 min for sensitive profiles (accounting). Active sessions are listed in your profile — revoke remotely if needed.
IP allowlist
On Pro/Enterprise plans, restrict access to specific IPs (your hotel, HQ). Logins from elsewhere are refused. Handy for back-office roles.
Password policy
Configure under Settings → Security:
- Minimum length (8 chars default, 12 recommended)
- Force uppercase + digit + special character
- Rotation every 90 days (optional — discouraged unless compliance-driven)
Account compromised?
If you suspect a breach, open Team → Activity to spot suspicious actions, then Profile → Security → Revoke all sessions on the affected member.
Was this article helpful?
Thanks for your feedback!
We're sorry. Our team can help you directly.
Open a ticket