Bubble Docs
  • Introduction
  • New? Start Here
  • What is Bubble?
  • The Glossary
  • User manual
    • Getting started
      • What is Bubble?
      • Building for...
        • Web
        • Native iOS and Android
          • Mobile app quick start guide
          • What is a native mobile app?
          • Native mobile vs. web development
          • Differences in native and web elements
          • Native mobile app terminology
      • Building your first app
        • Planning features
        • Database structure
        • Design and UX
        • eCommerce and payments
          • Shopping cart
          • Checkout page
          • One-time payments
          • Subscriptions
          • Marketplace
      • Creating and managing apps
      • The Bubble editor
        • Tabs and sections
          • Design tab
            • The element tree
            • The property editor
          • Workflow tab
          • Data tab
          • Styles tab
          • Plugins tab
          • Settings tab
            • Application settings
              • Custom headers/body
              • Visual settings
              • Social media sharing
              • Translating your app
              • Email settings
              • Collaboration
            • Custom domain and DNS
          • Logs tab
        • Tools
          • Key features
          • The search tool
          • The Issue Checker
          • The element tree
          • The element property editor
          • The debugger
          • Notes
        • Previewing your app
      • Transitioning to Bubble from...
        • JavaScript
        • HTML and CSS
        • SQL
    • Design
      • Elements
        • Web app
          • The page
          • Containers
            • Groups
            • Repeating groups
            • Table elements
            • Popups
            • Floating groups
            • Group focus
          • Visual elements
          • Input forms
            • Text and numbers
            • Dates and time
            • File uploads
            • Selection controls
        • iOS and Android app
          • The view
          • Containers
          • Visual elements
          • Input forms
          • Mobile reusable elements
        • The element hierarchy
          • The element tree
        • Reusable Elements
      • Styling
        • Color variables
        • Font variables
        • Styles
        • Custom Fonts
      • Responsive design
        • Building responsive pages
        • Legacy articles
          • The Basics (Legacy)
          • Building Responsive Pages (Legacy)
          • Migrating Legacy Pages
          • Tips When Designing (Legacy)
      • Templates
      • The Component Library
      • Importing from Figma
    • Data
      • The database
        • Data types and fields
        • Creating, saving and deleting data
        • Finding data
        • Displaying data
        • Protecting data with privacy rules
        • The database editor
        • Export/import data
          • Exporting data
          • Importing data (CSV)
        • Working with location data
        • Using Algolia
        • Database structure by app type
          • Marketplace Apps
          • Directory & Listings Apps
          • Social Network Apps
          • SaaS Apps
          • Project Management Apps
          • CRM Apps
          • Professional Services Apps
          • On-demand Apps
          • Documentation/ CMS Apps
          • Applicant Tracking System (ATS) Apps
          • Portfolio Apps
          • Gallery Apps
          • Online Store / Ecommerce Apps
          • Blog Apps
          • Messaging App
          • Dashboards
          • Building Block Apps
          • Bubble as a backend
      • Files
      • Images
      • Static data
        • App texts (translations)
        • Option sets
      • Temporary data
        • Custom states
        • URL parameters
      • User accounts
        • Authentication plugins
          • Facebook plugin
          • Fitbit plugin
          • Google plugin
          • Instagram plugin
          • LinkedIn plugin
          • Pinterest plugin
          • Slack plugin
          • Wistia plugin
          • YouTube plugin
        • Cookies set by Bubble
      • Time, dates and time zones
    • Logic
      • The frontend and backend
      • Workflows
        • Events
          • Frontend events
            • Recurring workflows
            • Custom events
          • Backend events
            • Database trigger events
        • Actions
        • API Workflows
      • Dynamic expressions
      • Conditions
      • Navigation
        • Single-page applications (SPA)
        • Multi-page applications
        • Page slugs
      • Device resources
        • Location services
        • Camera/photo library
    • Workload
      • Understanding workload
        • Activity types
        • The workload calculation
        • Client-side and server-side processing
      • Tracking workload
        • Measuring
          • Using App Metrics
        • Monitoring
          • Workload notifications
          • Infinite recursion protection
      • Optimizing workload
        • Optimization framework
        • Optimization checklist
          • Page load
          • Searches
          • Workflows and actions
          • Backend workflows
        • Agency showcases
          • Minimum Studio
          • Neam
          • Support Dept
    • Security
      • Bubble's security features
      • Planning app security
      • Client-side and server-side
      • Bubble account security
      • App security
      • Page security
      • Database security
      • API security
        • API Connector security
        • Data API security
        • Workflow API security
      • Flusk
        • Overview
        • Flusk plan features
        • Getting started with Flusk
        • Flusk security tools
          • The Issues Explorer
          • Issue details
          • Tools and settings
            • Pages rating
            • Database rating
        • Flusk FAQ
      • Cookies
      • Security checklist
    • Previewing your app
      • Previewing a web app
      • Previewing a mobile app
    • Publishing your app
      • Web app
      • Native mobile app
        • Global native mobile settings
        • iOS App Store
        • Google Play Store
        • Publishing FAQ
    • AI
      • Generate apps with AI
        • About AI app generation
      • AI page designer
      • Connect to AI agents
    • Maintenance
      • Collaborators
      • Version control
        • Best practices: Version control
        • Transitioning from the legacy version control
        • Terminology: Version control
        • Version Control (legacy)
      • Commenting
      • Database maintenance
        • Copying the database
        • Restoring database backups
        • Bulk operations
          • Bulk operation methods compared
        • Wiping change history
      • Performance
        • Hard limits
        • Capacity Usage (legacy)
        • Notes on queries
      • SEO
        • Introduction to SEO
        • SEO: App
        • SEO: Page
      • Testing and debugging
        • Introduction to testing and debugging
        • The debugger
        • The server logs
        • Supported browsers
      • API workflow scheduler
    • Integrations
      • API
        • Introduction to APIs
          • What is a RESTful API?
        • The Bubble API
          • Bubble API terminology
          • Authentication
            • How to authenticate
            • No authentication
            • As a User
            • As an admin
          • The Data API
            • Data API Privacy Rules
            • Data API endpoints
            • Data API requests
          • The Workflow API
            • Workflow API privacy rules
            • Workflow API endpoints
            • API workflows
              • Creating API workflows
              • Scheduling API workflows
              • Recursive API workflows
              • API Workflow Scheduler
              • Case: Stripe notifications
        • The API Connector
          • Authentication
          • API Connector security
          • API guides
            • OpenAI
              • Authentication
              • Calls
                • ChatGPT
                  • Chat
            • Google Translate
              • How to setup Google API keys
          • Streaming API
        • API security
        • Plugins that connect to APIs
        • API Glossary
      • Plugins
        • What Plugins Can Do
        • Installing and using Plugins
        • Authentication plugins
        • Special Plugins
      • SQL Database Connector
      • Bubble App Connector
      • WorkOS
        • WorkOS SSO
        • WorkOS API
    • Infrastructure
      • Sub-apps
      • Bubble release tiers
      • Hosting and scaling
        • How Bubble hosting works
        • Scaling with Bubble
        • CDN (Cloudflare)
        • Bubble app names
        • Domain and DNS
      • Compliance
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks and standards
    • Bubble for Enterprise
      • Hosting and infrastructure
        • Dedicated instance
          • The Dedicated editor experience
          • Technical specs
          • Main cluster dependencies
          • Customizable options
          • Migration process
            • Pre-migration
            • During migration
            • Post-migration
      • Security and compliance
        • Single sign-on (SSO)
        • GDPR
        • SOC 2 Type II
        • HIPAA
        • Other frameworks
        • Bubble's security features
      • Admin and collaboration
      • Priority support
      • Billing and Payment Guideline for Dedicated Instances
  • Core Reference
    • Using the core reference
    • Bubble's Interface
      • Design tab
      • Design tab (Legacy)
      • Workflow tab
      • Data tab
      • Styles tab
      • Styles tab (Legacy)
      • Plugins tab
      • Settings tab
      • Logs tab
      • Template tab
      • Toolbar
      • Top and context menu options
      • Deployment and version control
        • Deployment & Version Control Dropdown (legacy)
      • Notes
    • Elements
      • Native mobile elements
        • View element
        • List component
      • General properties
      • General properties (Legacy)
      • Styling properties
      • Styling Properties (Legacy)
      • Responsive Properties
      • Responsive Properties (Legacy)
      • Conditional formatting
      • States
      • Page Element
        • Page Element (Legacy)
      • Visual Elements
      • Containers
      • Container Layout Types
      • Containers (Legacy)
      • Input Forms
      • Reusable Elements
      • Element Templates (legacy)
    • Workflows
    • Events
      • General events
      • Element events
      • Custom events
      • Recurring event
      • Database trigger event
    • Actions
      • Account
      • Navigation
      • Data (things)
      • Email
      • Element
      • Custom
    • On-device resources
    • Data
      • Data Sources
      • Operators and comparisons
      • Search
      • Privacy
    • Styles
    • API
      • The Bubble API
        • The Data API
          • Authentication
          • Data API endpoints
          • Data API requests
        • The Workflow API
      • The API Connector
        • Authentication
        • Adding calls
    • Bubble-made Plugins
      • AddtoAny Share Buttons
      • Airtable
      • API Connector
      • Blockspring
      • Box
      • Braintree
      • Bubble App Connector
      • Chart.js
      • Circle Music Player
      • Draggable Elements
      • Dropzone
      • Facebook
      • Fitbit
      • Full Calendar
      • Google
      • Google Analytics
      • Google Optimize
      • Google Places
      • Ionic Elements
      • iTunes
      • Slidebar Menu
      • LinkedIn
      • Localize Translation
      • Mixpanel
      • Mouse & Keyboard Interactions
      • Multiselect Dropdown
      • Progress Bar
      • Rich Text Editor
      • Rich Text Editor (Legacy)
      • Screenshotlayer
      • SelectPDF
      • Slack
      • Segment
      • Slick Slideshow
      • SQL Database Connector
      • Star Rating
      • Stripe
      • Tinder-like Element
      • Twitter
      • YouTube
      • Zapier
    • Application Settings
      • App plan
      • General
      • Domain / email
      • Languages
      • SEO / metatags
      • API
      • Collaboration
      • Sub-apps
      • Versions
  • Account & Marketplace
    • Account and billing
      • Pricing and plans
        • Plans and billing
        • Billing cycle
        • FAQ: Pricing and Workload
      • Account Management
      • Building Apps for Others
      • Selling on the Marketplace
      • Plans & Billing (legacy)
    • Official Bubble Certification
      • Hiring certified developers
    • Building Plugins
      • The Plugin Editor
      • General Settings
      • Updating to Plugin API v4
      • Adding API Connections
      • Building Elements
      • Building Actions
      • Loading Data
      • Publishing and versioning
      • Github Integration
    • Building Templates
    • Application and data ownership
    • Marketplace policies
    • Bug reports
  • Vulnerability Disclosure Policy
  • Beta features
    • About the Beta features section
    • Native mobile apps
Powered by GitBook
On this page
  • Authentication
  • Password
  • Two-factor authentication (2FA)
  • Enabling two-factor authentication
  • Google Authenticator and Authy compared
  • How Bubble stores and checks password

Was this helpful?

  1. User manual
  2. Security

Bubble account security

This section covers how to keep your Bubble account secure

Last updated 13 days ago

Was this helpful?

Your Bubble account is a very important part of security, for several reasons. It's crucial for the protection of your app's data and user information, and for stopping an intruder from creating, editing, deleting, copying or transferring ownership of your app(s).

A secure account prevents potential misuse.

Keep in mind that all the security measures you add to your app can potentially be circumvented and even removed if someone gains access to your Bubble account.

In this article, we'll look into how you keep your account secure.

Authentication

For Enterprise plan users, we provide single sign-on (SSO) capabilities. See the article below for more information:

Article series:

Password

Password and any extra authentication is set on the account level, and not on an app level. In other words, these settings apply to all your apps.

A robust password policy reduces the risk of unauthorized access. To create and maintain a strong password policy, keep these guidelines in mind:

  1. Use unique passwords: Avoid reusing passwords across multiple accounts

  2. Create complex passwords: Make sure your passwords are at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and special symbols. This makes it harder for attackers to crack your password using brute-force methods.

  3. Update passwords regularly: Change your passwords every 3-6 months to minimize the risk of unauthorized access. Avoid predictable patterns when updating your password.

  4. Use a password manager: A reliable password manager can help you generate and store complex, unique passwords. This eliminates the need to remember multiple passwords while ensuring they remain secure.

Two-factor authentication (2FA)

We strongly recommend enabling 2FA to protect your account. It adds a critical layer of security by requiring a second verification step, making unauthorized access much more difficult—even if your password is compromised. While not required, skipping 2FA significantly increases your risk of account takeover.

Enabling two-factor authentication

  1. Click Enable 2FA and follow the steps to set it up.

Google Authenticator and Authy compared

and are both mobile apps that provide one-time passcodes (TOTP) that you enter when logging into your Bubble account, in addition to your regular password.

There are some pros and cons with each solution, and the points below can help you choose the one that's right for you:

Authy:

Authy is developed and maintained by Twilio.

Pros:

  1. Multi-device support: Authy allows you to use multiple devices simultaneously, making it easier to switch between your phone, tablet, or desktop.

  2. Cloud backup: Authy enables encrypted cloud backups, which makes it simpler to recover your account in case you lose your device or need to reinstall the app.

Cons:

  1. Reliance on a third-party service: Authy's cloud backup feature can be a potential security concern for some users, as it relies on a third-party service for storing your data.

Google Authenticator

Google Authenticator is developed and maintained by Google.

Pros:

  1. Developed by a trusted company: As a Google product, it benefits from the company's security expertise and reputation.

  2. Local storage: Google Authenticator does not offer a cloud backup feature, which removes a potential security threat.

Cons:

  1. No multi-device support: Google Authenticator does not support multiple devices simultaneously, which can be inconvenient if you switch devices or lose your phone.

  2. No cloud backup: Google Authenticator does not offer a built-in backup feature, making it more challenging to recover your 2FA accounts if you lose your device or need to reinstall the app.

We strongly recommend using 2FA for your account, but do not recommend one solution over the other.

Backup codes

To ensure you don't lose access to your account if you lose access to the code generator, you can generate backup codes. This is a list of one-time-use unique strings that gives you access to the account in the same way as a code generated by Authy or Google Authenticator would.

Backup codes should be kept strictly confidential. Password managers sometimes offer a way to store backup codes in an encrypted database to keep it secure.

How Bubble stores and checks password

Bubble uses industry-standard security practices to protect account passwords and keep them secure.

Here's a brief explanation of how these techniques work:

  1. Hashing: When you create or update your password, Bubble doesn't store the version of it. Instead, we use a cryptographic hash function to convert your password into a fixed-size string of characters, which is then stored in the database. What this means in practice is that a potential intruder not only can't see your password string – they can't even determine its length since all the hashed passwords have the same number of characters. Hash functions are designed to be one-way, meaning it's extremely difficult, if not impossible, to reverse-engineer the original password from the hash. When you log in, Bubble hashes the password you provide and compares it with the stored hash. If the hashes match, the password is correct, and you are granted access. In short, even Bubble's engineering team does not have access to your password: only you do.

  2. Salting: To further enhance the security of hashed passwords, we use a technique called salting. A salt is a unique, random string of characters generated for each user. This salt is combined with the user's password before it's hashed. The resulting hash is then stored in the database alongside the salt. Salting makes it much harder for attackers to use precomputed tables of hashes (called ) or other to crack passwords, as they would need to compute hashes for each unique salt.

To enable two-factor authentication, first go your (after logging in).

From there, navigate to the

Bubble for enterprise
Account page
security tab