Account Security

Multi-factor authentication, password best practices, and how to recover access to your 5-by-5 account.

Overview

5-by-5 stores your aircraft records, flight logs, member contact details, and financial ledger and bank-balance information. Protecting that account is worth a few minutes of setup. This page covers the security features available today and the steps to get the most out of them.

Multi-Factor Authentication (MFA)

Multi-factor authentication adds a second step to sign-in: in addition to your password, you also enter a 6-digit code from an authenticator app on your phone. Even if someone steals your password, they can’t sign in without the device that generates the codes.

5-by-5 supports time-based one-time passwords (TOTP) — the same standard used by Google, AWS, GitHub, and most banks.

Supported Authenticator Apps

Any TOTP-compatible app works. Popular choices:

  • Google Authenticator (iOS, Android) — free, no cloud backup
  • Microsoft Authenticator (iOS, Android) — free, cloud backup via Microsoft account
  • Authy (iOS, Android, desktop) — free, encrypted cloud backup, multi-device
  • 1Password, Bitwarden, Apple Passwords — built-in TOTP if you use these password managers

We recommend an app with cloud backup (Microsoft Authenticator, Authy, or a password manager) so you don’t lose access if you switch phones.

Setting Up MFA

MFA enrollment is required for every 5-by-5 account. After you create your account and sign in for the first time, an enrollment screen appears before you can use the app — there’s no opt-out, and you can’t proceed without completing it. The screen shows a setup key prominently with a smaller QR code below.

Because you’re usually setting this up on the same phone running 5-by-5 (which can’t scan its own screen), the primary path is to copy the setup key and paste it into your authenticator. The QR code is for the case where your authenticator lives on a different device.

Primary path: setup key copy/paste

  1. On the MFA enrollment screen, tap Copy setup key — 5-by-5 copies a string of letters and numbers to your clipboard
  2. Open your authenticator app, tap to add a new account, choose Enter setup key (wording varies — sometimes “Manual entry” or “Setup key”), and paste
  3. Your authenticator now shows a 6-digit code for “5-by-5” that refreshes every 30 seconds
  4. Type that code back into 5-by-5 to confirm setup

Secondary path: QR code (when your authenticator is on a different device)

If your authenticator runs on a separate device — an iPad while 5-by-5 is on your iPhone, a desktop password manager, etc. — scroll down on the enrollment screen to the smaller QR code and scan it from that other device instead. Then type the resulting 6-digit code back into 5-by-5 to confirm setup.

Once enrolled, every future sign-in on any device requires the 6-digit code in addition to your password. The Settings → Authentication row shows your enrollment status — a green On indicator under normal operation.

Save the setup key somewhere safe. If you ever lose your phone, having the original setup key means you can restore MFA on a new device without contacting support. Most password managers can store this key alongside the credentials.

Signing In with MFA Enabled

  1. Enter your email and password as usual
  2. The app prompts you for a 6-digit code
  3. Open your authenticator app and read the current code for “5-by-5”
  4. Enter it into the 5-by-5 prompt
  5. You’re in

Codes refresh every 30 seconds. If yours has only a few seconds left, wait for the next one — codes that just rolled over are sometimes still accepted, but it’s safest to use a fresh code.

MFA can’t be disabled in-app

Once enrolled, MFA stays enrolled — there’s no in-app path to turn it off. Tapping the Two-Factor Authentication row in Settings shows an informational alert confirming your enrollment status, not a disable option. This is intentional: every account having MFA on means a stolen password alone never compromises an account.

If you’ve lost access to your authenticator app, see What if I Lose My Authenticator? below for the support-mediated recovery path.

What if I Lose My Authenticator?

If your authenticator app is no longer available — phone lost, app deleted, cloud sync issue — you cannot sign in on your own. Contact support@blueskyapplications.com from the email address on your 5-by-5 account.

The support team will verify your identity (typically via a reply from the original email plus another channel like a phone call), then remove the MFA factor from your account. You’ll sign in with just your password and be prompted to re-enroll a new authenticator on first sign-in.

Identity verification is intentionally strict. If we can't confirm you are the account holder, we will not clear the MFA factor. This is the layer that prevents an attacker who has stolen your password from also socially engineering us into removing the MFA gate. Plan ahead — use an authenticator app with cloud backup, or save the original setup key in your password manager.

Password Best Practices

5-by-5 enforces a minimum password length and screens new passwords against known-breached password databases via Supabase’s leaked-password protection. Beyond the minimum, you control how strong your password is.

Recommendations:

  • At least 12 characters — longer is meaningfully stronger
  • Unique to 5-by-5 — don’t reuse a password you use anywhere else
  • Generated by a password manager — humans are bad at creating random-looking strings; 1Password, Bitwarden, Apple Passwords, or Chrome/Safari built-in are all good options
  • Don’t memorize it — that’s what the password manager is for

If your password ever appears in a public breach database, Supabase will reject it at next sign-in and require you to reset.

Changing Your Password

Available on both mobile and web:

  • Mobile app: Settings → Authentication → Change Password
  • Web dashboard: Settings → My Profile → Authentication card → Change Password

Enter the new password twice and submit. You’ll stay signed in on the current device. Other signed-in devices stay signed in too (no remote sign-out), so revoke any sessions you don’t recognize via your password manager’s session list if it supports that.

Forgot Password

On the sign-in screen, tap Forgot Password. Enter your email address. You’ll receive a one-time reset link from noreply@blueskyapplications.com valid for 1 hour. Click the link and set a new password.

If the email doesn’t arrive within a few minutes, check your spam folder and follow the steps in Email Notifications so future system emails don’t get filtered.

Account Email

The email address on your account serves two purposes:

  1. Your sign-in identifier
  2. The destination for all account emails (invitations, invoices, receipts, password resets, etc.)

If you change jobs or providers, update your email promptly:

  • Mobile app: Settings → Authentication → Change Email
  • Web dashboard: Settings → My Profile → Authentication card → Send Change-Email Confirmation

A confirmation link goes to both the old and new addresses; you must click the link in the new address to complete the change. Until that link is clicked, the old email is still your active sign-in identifier.

Signing Out

This device — Settings > Sign Out. Removes credentials from this specific device only.

All devices — currently requires a password change (which invalidates other active sessions) plus signing out manually anywhere you suspect a stale session. A “sign out everywhere” button is on the roadmap.

Deleting Your Account

Account deletion is permanent and removes:

  • All your flight log entries (visible to your group will be removed too — they’ll see your row as “Former Member”)
  • Your profile information, emergency contact, certificates, and ratings
  • Your saved manuals, bookmarks, and uploaded documents
  • Your ledger entries (charges and payments stay in the group’s ledger as historical records, but your name is anonymized)

If you are an Owner with other members in the group, you must transfer ownership first — the app will prompt you.

If you are the only member in the group, the entire group, aircraft, maintenance history, and ledger are also deleted.

To delete: Settings > Delete Account, then confirm.

Account deletion cannot be undone. Export your flight log to CSV first (Flights screen → menu → Export) if you want a copy of your records before deleting.

Reporting Security Issues

Found a vulnerability? Email support@blueskyapplications.com with the details and we’ll respond within 1 business day. We don’t yet have a formal bug bounty program, but we deeply appreciate responsible disclosure — please give us a reasonable window to fix before publishing.