Overview
To strengthen account security and reduce the risk of unauthorized access, Lusha has introduced mandatory two-factor authentication (2FA) for all paid users (Self-Serve and Enterprise) who sign in with email and password.
Each time you log in, you’ll be asked to enter a one-time 6-digit code sent to your email.
This update helps prevent credential-based attacks, misuse of credits, and unauthorized upgrades—while ensuring a smooth experience for legitimate users.
💡 Note: This update does not apply to users logging in via SSO (Google, Microsoft, Okta, Azure, or Custom SAML).
Use Cases
This feature is especially important for:
Protecting against credential leaks: If your password is compromised, a second factor is now required to access your account.
Preventing credit abuse: Attackers can no longer consume credits or upgrade plans without your knowledge.
Alerting users to suspicious logins: If someone tries to log in, you’ll receive the one-time code and know instantly.
Reducing security-related support issues: Helps avoid unnecessary frustration or time spent recovering accounts.
How It Works
Login: Enter your email and password as usual.
Get a Code: A 6-digit code is sent to your registered email. The code is valid for 10 minutes.
Enter the Code: Input the code to complete your login.
Troubleshooting Login Issues
If you encounter issues during the login process, consider the following solutions:
Email Access Issues: If you no longer have access to the email linked to your account, you will not be able to receive the 6-digit code. In such cases, contact your account administrator or consider creating a new account with an updated email address. If this is not possible, contact our support team for further assistance.
Verification Code Problems: If you request multiple codes in a short period, you may face a temporary limit. Wait for the limit to reset or use an alternative login method if available. Ensure your email delivery system is functioning correctly to avoid delays.
Session Duration
Verification is required once every 30 days and is tied to the specific browser and device you use. If you switch browsers or devices, you will need to verify again. Once verified, the session will remain active for 30 days on that browser or device.
To stay logged in for 30 days, adjust your Inactivity Timeout settings:
On your Lusha Dashboard, click the Settings icon in the top-right corner.
Go to the Account Settings tab.
Set the Inactivity Timeout to 30 days.
You’ll stay logged in for up to 30 days, unless:
You log out manually
You switch browsers or devices
You use incognito mode
💡 Note: Setting up the Inactivity Timeout is only available for Scale accounts and can only be done by the account Admin.
Best Practices for Account Security
Always ensure that your email address linked to the account is active and accessible.
Avoid requesting multiple verification codes in quick succession to prevent temporary limits.
Regularly review and update your account security settings to ensure they meet your needs.
Re-enable 2FA after resolving any temporary issues to maintain a high level of account security.
If an Unauthorized Attempt Occurs
The attacker will not receive the code, and therefore cannot log in.
You will receive the code, which acts as a warning that someone tried to access your account.
We recommend updating your password immediately in this case.