Buttondown Documentation
Buttondown offers multi-factor authentication (often referred to as MFA) to protect your account against common threats such as phishing, brute force attacks, and password theft that may be made by malicious actors.
If you're not familiar with MFA, you can read this article to learn more about it. At a high level, it means adding an additional piece of evidence when logging in to prove who you say you are. (Ever had to type in a six-digit code sent to your phone after putting in your username and password? That's MFA!)
To register an authentication token and enroll your account in MFA, head over to the Security settings page.
You should see a table containing multi-factor authentication tokens:
Please note that at this time, Buttondown only supports third-party authenticator apps such as Google Authenticator and not physical security keys or SMS. (If you feel strongly about this, please add a comment with your particular use case on this Github issue.)
No interesting reason, just technical debt! This is something I hope to improve in the future.
Buttondown is of course fully GDPR compliant. In short, your data is yours, your subscribers’ data belongs to them, and we don’t collect anything that we don't have to in order to do our jobs.
You can learn more about Buttondown's GDPR compliance here.
Sadly, Buttondown doesn't have the security budget to offer a bug bounty, but we would be deeply indebted to you for doing so! Please report any vulnerabilities to our support team — we promise to respond promptly and provide a fix as soon as humanly possible.
Sincere kudos to the following individuals for reporting vulnerabilities:
By default, link and click tracking is turned off on Buttondown.
If you'd like to enable these pieces of functionality, you can go to Tracking in your Buttondown settings.