Keep your Aesthetix CRM account secure by regularly updating your password and adding an extra layer of login protection with Two-Factor Authentication (2FA). This guide walks you through changing your password, setting up an authenticator app for time-based verification codes, and completing the 2FA challenge that Aesthetix CRM requires for sensitive profile changes such as updating your phone number. Following these steps helps protect your personal and business information against phishing, SIM-swap attacks, and account takeover.
Regularly updating your password is one of the simplest ways to protect your account. Use a strong, unique password that you don't reuse on other sites.
Step 1: Click on "Settings".
Step 2: Click on "My Profile".
Step 3: Navigate to the change password section.
Step 4: Click in the current password field and enter your current password.
Step 5: Click in the new password field and enter your new password.
Step 6: Click in the confirm password field and re-enter your new password.
Step 7: Click "Update Password" to save your changes.
Two-Factor Authentication (2FA) adds an extra layer of security to your account by requiring a second verification step at login. Authenticator App support integrates time-based one-time password (TOTP) functionality into your Aesthetix CRM account, letting you link your account with apps like Google Authenticator, Microsoft Authenticator, and Authy for an extra layer of protection. By moving to app-based verification, you gain stronger security than traditional SMS or email verification methods.
Note: Aesthetix CRM supports any TOTP-based authenticator app, including Google Authenticator, Microsoft Authenticator, Authy, and others.
Authenticator app integration lets you secure your account easily using popular authenticator apps (Google Authenticator, Microsoft Authenticator, Authy), generating time-sensitive verification codes (TOTPs) for safe logins.
Quick setup via QR code or manual entry.
Generates rapidly expiring codes for enhanced security.
Provides backup codes to ensure you retain account access.
This feature improves both security and usability while aligning with modern compliance standards. By enabling app-based authentication, you gain:
Enhanced security: Protects against phishing and SIM-swap attacks by using a time-based verification code.
User flexibility: Lets you choose your preferred authenticator app to fit your personal workflow and security needs.
Compliance ready: Meets current security best practices, reinforcing overall account governance.
Setting up an authenticator app gives you the option to use it alongside your phone number and email for verifying your identity during login.
Step 1: Navigate to the Two-Factor Authentication (2FA) app.
Go to Settings > My Profile. Click the Setup button to get started. Use your preferred authenticator app to scan the displayed QR code, or manually enter the setup code provided.
Step 2: Input the OTP from the authenticator app to finish the setup.
After scanning or manually entering the provided code into your authenticator app, you'll receive a one-time password (OTP). Click Next in Aesthetix CRM, enter this OTP, and complete the setup.
Step 3: Save your backup codes.
Save the backup codes discreetly so you can access the system if you lose access to your authenticator app. If your backup codes are lost or accessed by others, you can reset them from My Profile.
Please note: On your next login, select the authenticator app option for 2FA and authenticate using the generated OTP.
Important:
Only the primary logged-in user can set an authenticator app on their own account. Admins cannot set up an authenticator app for other users by using "login as."
Ten backup codes are generated at a time, and each code can be used only once.
Your account name will be visible in the authenticator app. The authenticator app is set up for a specific user-account combination.
Aesthetix CRM requires Two-Factor Authentication (2FA) whenever a user's phone number is changed. This aligns phone updates with the existing email-change + 2FA flow, closes a high-risk account-takeover path, and improves overall security. You can complete verification using Email, SMS (to an existing verified number), or an Authenticator App (TOTP).
Mandatory 2FA adds a verification challenge any time a user attempts to change the phone number on their Aesthetix CRM profile. The verification must be completed using a previously verified channel—your existing email, your existing verified phone number, or a TOTP authenticator app if you've enabled it. Aesthetix CRM enforces a 2FA check before saving any phone number change, and OTPs/codes are delivered only to trusted, verified channels, never to the new phone number being added. This prevents attackers from swapping your number and taking over your account.
Account security: Prevents phone-swap takeovers by blocking OTPs from being sent to a brand-new number.
Consistency: Mirrors the email-update + 2FA experience, reducing confusion across profile changes.
Compliance and trust: Strengthens identity controls across critical profile data.
Abuse protection: Daily attempt limits reduce brute-force or spammy change requests.
Verifying at least one secure channel beforehand ensures you can pass 2FA when updating your phone number. Use this checklist before attempting a change.
You must have at least one verified channel on your profile:
Verified Email (recommended)
Verified Phone (SMS)
Authenticator App (TOTP) enabled (optional, recommended)
You must be able to access the selected channel during the update.
Your role and permissions must allow editing your own profile. Admins must have permission to edit team member profiles if performing updates on behalf of others.
Tip: If you currently have no verified channel, set up TOTP or verify your email first so you don't get blocked during the phone update.
Aesthetix CRM only offers verification options that are already trusted for your account.
Email (OTP to existing verified email) – always offered if your email is verified.
SMS (OTP to existing verified phone) – offered only if your current phone on file is already verified.
Authenticator App (TOTP) – offered if you previously enabled a TOTP app.
Not allowed: An OTP cannot be sent to the new phone number being added.
What you'll see in-product: A channel selection modal listing eligible options only.
Rate limiting protects accounts from abuse. Knowing the limits helps you plan updates and troubleshoot lockouts.
A maximum of 5 phone/email change attempts per user per day is allowed.
When the daily limit is reached, further attempts are blocked until the counter resets.
In-app messaging will inform you that you've hit the limit and to try again later.
Note: If you encounter a limit unexpectedly, confirm whether another admin or automated process attempted changes on your behalf the same day.
The experience is similar for everyone, but admins may initiate changes on behalf of team members. Understanding who receives the OTP and where to start avoids confusion.
Self-service (User): Start from your own profile and select a verified channel to complete 2FA.
Admin-initiated (Team member): Begin from Settings > Team (or your team management page). The OTP is delivered to the team member's verified channel(s), not the admin's.
These safeguards help your organization maintain a secure, trackable profile change process and quickly identify suspicious behavior.
OTPs are never sent to the new phone number being added.
Only verified channels are eligible for OTP delivery.
Changes are subject to daily attempt limits to curb brute-force activity.
If enabled for your account, review audit/activity logs to see who initiated changes and when.
Consider enabling TOTP to add a code option that works even when SMS is unavailable.
Follow the steps below to update a phone number securely. Steps include both the self-service flow and the admin flow, where applicable.
Step 1: Go to Settings > My Profile (or your user profile page).

Step 2: In Personal Data, edit the phone number.

Step 3: Enter the new phone number, then click "Update Profile".

Step 4: When the "Choose how to verify" modal opens, select one of your available channels:
Email (OTP sent to your verified email)
Text message (OTP sent to your existing verified phone)
Use Authenticator App (enter the 6-digit TOTP)
Step 5: Click "Continue". If you selected Email or SMS, retrieve the OTP and enter it to verify.

Step 6: After successful verification, confirm the change.
You'll see a success message, and your profile will reflect the new number.
Important: If you don't see SMS as an option, your current phone is not verified. Use Email or Authenticator App instead, or verify your phone first.
Step 1: Go to Settings > Team and open the team member's profile.
Step 2: Edit the Phone number and enter the new number.

Step 3: On "Choose how to verify", select an available channel.
The code is delivered to the team member's verified email/phone, or they can provide the code from their Authenticator App.

Step 4: Enter the OTP (or have the team member provide it securely) and click "Continue" to complete the change.
Security reminder: OTPs will not be sent to the new number you're adding.
If you encounter errors or cannot complete verification, use these tips to resolve common issues quickly.
No verification options available: Set up TOTP or verify your email first. You must have at least one verified channel to proceed.
Don't see SMS as an option: Your current phone is not verified. Use Email/TOTP, or verify the existing number.
OTP not received: Check spam/junk, confirm you have network coverage for SMS, and request a new code after the resend timer allows.
Daily limit reached: You've hit the 5-attempts-per-day limit. Wait for the reset and try again. Consider completing TOTP setup to reduce reliance on SMS.
Lost access to both email and phone: Use backup codes (if enabled) or contact your account owner/admin for assistance.
Can I use any authenticator app for this feature?
Yes, you can use any TOTP-based authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy.
What should I do if I lose my authenticator device or backup codes?
You can regenerate backup codes from My Profile; however, it is crucial to store them securely to prevent unauthorized access.
Are there any restrictions on who can set up the authenticator app?
Only the primary user can set up the authenticator app for their account. Admins cannot configure it using "login as."
How many backup codes are generated, and how are they used?
Ten backup codes are generated at a time, and each code can be used only once for account recovery.
What security improvements does the authenticator app provide over SMS or email verification?
Authenticator apps generate time-based codes that are more secure against phishing and SIM-swap attacks than SMS and email methods.
Why can't I send the OTP to my new phone number?
For security, OTPs only go to channels already verified on your account. This blocks attackers from adding a new number and receiving the OTP there.
I don't see SMS as a verification option—what should I do?
SMS appears only if your existing phone is verified. Use Email or Authenticator App (TOTP) instead, or verify your current phone first.
How many times can I attempt a change per day?
You can attempt up to 5 phone/email changes per user per day. After that, you'll be temporarily blocked until the counter resets.
Who receives the OTP when an admin updates a user's phone?
The user being edited. OTPs are sent to that user's verified channels, not to the admin.
Can I use my authenticator app instead of Email/SMS?
Yes, if you've enabled TOTP for your account, you can select Use Authenticator App during verification and enter your current 6-digit code.
What if I've lost access to both my email and phone?
Use backup codes (if available) or contact your account owner/admin for identity verification and recovery support.
Does this change anything about updating my email address?
Email updates already require 2FA. Phone updates now follow the same security standard for consistency and safety.