Security
Account Security
Protect your account with two-factor authentication, access controls, and session monitoring.
Account Security
This guide covers all the ways you can secure your Kuata account: PIN, biometric login, two-factor authentication via SMS, email, or authenticator app, and session management. Using multiple layers together gives your account the strongest possible protection.
Your 6-Digit PIN
Setting Your PIN
Your PIN is the primary authentication method for Kuata. It is set during onboarding and is required to approve payments, access sensitive settings, and as a fallback when biometrics are unavailable.
PIN Requirements
• Exactly 6 digits
• Must not be a consecutive sequence (e.g., 123456 or 654321)
• Must not be all the same digit (e.g., 111111)
• Must not match your date of birth, phone number, or other obvious personal data
Tip: Choose a PIN that is memorable to you but not guessable by someone who knows you. Avoid PINs you use for other services. |
Changing Your PIN
1. Go to Settings -> Security -> Change PIN.
2. Enter your current PIN to confirm your identity.
3. Enter your new 6-digit PIN twice to confirm.
4. Your new PIN takes effect immediately on all devices.
If You Forget Your PIN
5. On the login screen, tap Forgot PIN.
6. Verify your identity: enter your phone number and complete the SMS verification, then pass the liveness check.
7. Set a new 6-digit PIN.
Important: After 5 consecutive wrong PIN entries, your account is locked for 30 minutes. This is a security protection — it prevents automated guessing attacks. |
Biometric Login — Face ID and Fingerprint
How it Works
Biometric login uses your device's built-in hardware (iOS Secure Enclave or Android StrongBox) to verify your fingerprint or face. Kuata never receives or stores your biometric data — the verification happens entirely on your device, and only a cryptographic confirmation is passed to the app.
Enabling Biometric Login
8. Go to Settings -> Security -> Biometric login.
9. Tap Enable and confirm with your PIN.
10. Follow your device prompts to register your fingerprint or face.
11. Biometric login is active immediately for app access and payment approval.
Disabling or Re-registering Biometrics
To disable: Settings -> Security -> Biometric login -> Disable. Your PIN remains active.
To re-register (e.g., after a new finger injury or face change): Settings -> Security -> Biometric login -> Re-register, then follow your device prompts.
Note: If multiple people have their biometrics registered on your device (e.g., a family member's fingerprint), they could access your Kuata app. Register only your own biometrics, and use a PIN if you share your device. |
Two-Factor Authentication (2FA)
Two-factor authentication adds a second verification step on top of your PIN or biometrics. Kuata supports three types of 2FA, which can be combined for maximum security.
SMS Text Message Authentication
When enabled, Kuata sends a one-time 6-digit code to your registered phone number whenever you log in from a new device or perform a high-value transaction.
12. Go to Settings -> Security -> Two-factor authentication -> SMS verification.
13. Confirm your registered phone number.
14. Enter the confirmation code sent to activate SMS 2FA.
Important: SMS codes can be intercepted through SIM swap attacks. For stronger security, use an authenticator app instead. See the Authenticator App section below. |
Email Authentication
When enabled, Kuata sends a one-time link or code to your registered email address for login verification and for changes to sensitive settings (PIN, payment methods, linked phone number).
15. Go to Settings -> Security -> Two-factor authentication -> Email verification.
16. Confirm your registered email address.
17. Click the confirmation link in the email Kuata sends to activate email 2FA.
Tip: Email 2FA is especially useful as a backup if you lose your phone. Make sure your email account itself is secured with a strong password and its own 2FA. |
Authenticator App (Recommended)
An authenticator app generates time-based one-time codes (TOTP) on your device — no SMS or internet required for the code generation itself. This is the most secure form of 2FA because the codes cannot be intercepted by SIM swap or phishing attacks.
Supported authenticator apps:
App | Platform |
Google Authenticator | iOS and Android |
Microsoft Authenticator | iOS and Android |
Authy | iOS and Android |
1Password | iOS, Android, desktop |
Bitwarden | iOS, Android, desktop |
Apple Passwords (iOS 18+) | iOS only |
Setting Up an Authenticator App with Kuata
18. Go to Settings -> Security -> Two-factor authentication -> Authenticator app.
19. Kuata displays a QR code. Open your authenticator app and scan it (look for Add account or the + icon).
20. Your authenticator app immediately starts generating 6-digit codes that refresh every 30 seconds.
21. Enter the current code shown in your authenticator app into Kuata to confirm the setup.
22. Kuata shows you recovery codes — store these in a safe place (not on your phone). They let you access your account if you lose your authenticator app.
Important: Save your recovery codes in a secure location — a password manager, printed paper in a safe, or another offline backup. If you lose your phone and your recovery codes, account recovery will require identity re-verification. |
Managing Multiple 2FA Methods
You can have all three 2FA methods active simultaneously. When logging in, Kuata will use the strongest available method (authenticator app preferred over SMS). You can see and manage all active 2FA methods from Settings -> Security -> Two-factor authentication.
Password Managers
Kuata does not require a traditional password, but if you use a password manager to store your Kuata account credentials or recovery codes, we recommend:
• 1Password, Bitwarden, or Dashlane, all support TOTP and strong password generation
• Enable biometric unlock on your password manager
• Use a strong, unique master password that you do not use anywhere else
• Enable 2FA on your password manager itself
Session and Device Management
Viewing Active Sessions
Go to Settings -> Security -> Active sessions to see every device currently logged in to your Kuata account, including device type, operating system, approximate location, and last active time.
Signing Out Remotely
Tap any session in the Active sessions list and select Sign out to immediately revoke access on that device. You can also tap Sign out all other devices to revoke all sessions except the one you are currently using.
Automatic Session Expiry
Sessions on inactive devices expire automatically after 30 days. High-value transaction approvals always require a fresh authentication regardless of session age.
If Your Account is Compromised
Security Alert: If you believe someone else has access to your account, act immediately — do not wait. |
23. Change your PIN: Settings -> Security -> Change PIN.
24. Revoke all other sessions: Settings -> Security -> Active sessions -> Sign out all other devices.
25. Review recent transactions and report any you do not recognise: Payments -> History -> Report an issue.
26. If SMS 2FA is your only 2FA method and you suspect SIM swap, contact your mobile operator immediately to secure your number.
27. Contact Kuata security: security@kuata.app — mark URGENT.
Security Best Practices Summary
Action | Priority |
Use a unique 6-digit PIN not used elsewhere | Essential |
Enable biometric login (Face ID or fingerprint) | Strongly recommended |
Set up an authenticator app for 2FA | Strongly recommended |
Store recovery codes in a safe offline location | Essential if using authenticator app |
Review active sessions monthly | Recommended |
Keep your email account secured with its own strong password and 2FA | Essential |
Never share your PIN or one-time codes with anyone | Essential — non-negotiable |