Security

Your affiliate account is connected to your earnings, your bank account, and your tax information. This guide covers how to keep it safe.

Why security matters

A compromised affiliate account is one of the worst possible outcomes for both of us:

• An attacker can change your payout method to redirect your commissions to their bank.
• An attacker can see your tax information.
• An attacker can manipulate your tracking codes to steer credit (or away from you).

The patterns we use are deliberately designed against the most common attack — payout redirection. That shapes a lot of the rules below.

Two-factor authentication is required

Every affiliate account has two-factor authentication required by default. This isn't optional — it's enforced at the system level. Until you enrol, you can't use the dashboard at all.

Two-factor authentication means that signing in (or doing certain sensitive actions) requires both:

1. Something you have access to — your email, where login links are sent.
2. Something you have on your phone — a six-digit code from your authenticator app.

Even if someone gets hold of your email, they can't sign in or change your payout method without your authenticator app too.

Setting it up

If you haven't already gone through this in onboarding:

1. Download an authenticator app to your phone. Common choices:

   • Google Authenticator (free, iOS and Android)
   • Authy (free, iOS, Android, and desktop)
   • 1Password (paid, integrates with the password manager)
   • Microsoft Authenticator (free, iOS and Android)

   Any standard authenticator app works.

2. Go to Settings → Security (/affiliate/settings/security) in the affiliate portal.

3. Click Enable two-factor authentication.

4. The portal shows a QR code. Open your authenticator app, choose "add account" (or the equivalent), and scan the code with your phone's camera.

5. Your authenticator app will start showing a six-digit code that changes every 30 seconds.

6. Enter the current code in the portal to confirm setup. You're done.

If you can't scan the QR code (using a desktop authenticator, for example), there's a written setup key you can copy and paste into your app instead.

Daily use

You won't need to enter a six-digit code every time you sign in. The login flow uses a secure link sent to your email, and that's enough for everyday actions.

However, certain sensitive actions require a fresh six-digit code:

• Submitting tax information (uploading a W-9 or W-8BEN, entering your TIN)
• Changing your payout method (linking a new bank account, switching to a different method)
• Disabling two-factor authentication
• Deleting your account

Anything that could redirect money or leak identity data falls into this category. If you haven't entered a code recently, you'll be prompted to when you hit one of those flows.

The 15-minute security window

Once you've entered a fresh six-digit code, you won't be asked again for 15 minutes during the same session. So if you're working through several settings changes in a row, you only need to verify once at the start.

After 15 minutes, the next sensitive action will prompt you again. This balances convenience with protection — long enough that you're not constantly typing codes for related actions, short enough that an attacker who briefly hijacked your session can't use that to keep redirecting money.

Lost your authenticator?

This happens. New phone, lost phone, deleted the app — there are plenty of ways to end up locked out.

Important: there are no backup codes. Some services give you a list of one-time backup codes when you enable two-factor authentication. We deliberately don't, because backup codes can be screenshotted, leaked, or forgotten in unsafe places.

Instead, the recovery path is:

1. Email hello@moonfactory.dev immediately. Tell us you've lost access to your authenticator.
2. We'll respond with identity verification questions. This typically asks about your account history — recent commissions, recent referrals, the email tied to the account, etc.
3. Once verified, we'll reset your two-factor authentication so you can enrol with a new authenticator app.

Recovery typically takes a few business days. We deliberately keep the bar high because two-factor resets are one of the most common attack paths against accounts that handle money — we'd rather make you wait a few days than make it easy for an attacker to impersonate you.

How to avoid this in the first place

Most authenticator apps offer some way to back up or transfer your accounts:

• Authy has cloud backup with a master password.
• 1Password stores codes in your password vault, which is already backed up.
• Google Authenticator has a transfer feature for moving to a new phone (use it before you wipe the old one).
• Microsoft Authenticator has cloud backup tied to a Microsoft account.

Pick whichever fits how you already manage your accounts, and turn on the backup option from day one. The 30 seconds it takes to set up beats the few business days of recovery if you ever lose access.

If you're switching phones, do the migration before wiping the old phone. The old device is the simplest source of truth.

Account safety practices

A few habits that protect your account beyond two-factor authentication:

Don't share your sign-in link

The login link sent to your email is single-use and short-lived (15 minutes), but it does grant access until you sign out. Don't forward sign-in emails to others. Don't paste sign-in links in shared chats.

Use a unique email

Use an email address that's only yours and that you control long-term. Don't use shared inboxes (info@, team@, etc.) — anyone with access to that inbox can sign in as you.

If you've been using a shared inbox and want to switch, contact us; we can change the email tied to your account after identity verification.

Keep your authenticator secure

Treat your phone's authenticator app like a key to a safe — because functionally, that's what it is. If you set a passcode on your phone, set one strong enough that someone can't guess it from over your shoulder. Many authenticator apps also let you require Face ID or fingerprint to open the app itself; turn that on if it's available.

Sign out from shared devices

If you sign in from a shared computer (a coworking space, a friend's machine, an internet cafe), explicitly sign out when you're done rather than just closing the tab.

Report suspicious activity

If you notice anything weird — a sign-in you don't remember, a payout method change you didn't make, an unfamiliar tracking code on your account — email hello@moonfactory.dev immediately. Faster response means more containable damage. We'd much rather have you flag a false alarm than have a real incident go unreported.

Watch for phishing

We will never ask for your authenticator code, your bank details, or your tax information by email. If you get an email asking for any of that, even one that looks like it's from us, don't reply — log into the portal directly to do the action, or email hello@moonfactory.dev to verify.

Where to go next

• Onboarding guide — initial setup
• Payouts guide — sensitive actions around payouts
• FAQ — common security questions

Need help? Email us at hello@moonfactory.dev or open a support request from your dashboard.