Miru Now Supports 2FA: Authenticator Apps and Passkeys
Your Miru account just got a lot more secure. TOTP authenticator apps and passkey sign-in are live today.
Let’s be direct about what’s behind your Miru password: client names, billing addresses, project rates, payment details, invoice histories, and hours worked. For a consulting company, that’s the entire financial relationship with every client you’ve ever billed. One compromised password and it’s all exposed.
Until today, Miru accounts were protected by a single password. That was insufficient. We knew it. You knew it. Today we’re fixing it.
TOTP Authenticator Apps
Two-factor authentication via TOTP (time-based one-time passwords) is live now for all Miru accounts. It works with any authenticator app — Google Authenticator, 1Password, Bitwarden, Authy, whatever you already use.
Setup takes three steps:
- Go to Profile > Settings > Authenticator App 2FA and click “Set up 2FA.”
- Copy the secret key into your authenticator app (or scan the provisioning URI if your app supports it).
- Enter the 6-digit code your app generates. Done.
From that point on, every sign-in requires your password plus a fresh code from your authenticator. The code rotates every 30 seconds. Even if someone gets your password from a data breach or phishing attempt, they can’t get in without physical access to your device.
When you enable 2FA, Miru generates a set of one-time recovery codes. Save them somewhere safe — a password manager, a printed sheet in a locked drawer, wherever you keep important things. Each code works once. They’re your fallback if you lose your phone or switch authenticator apps.
Passkey Support
Passkeys are the newer standard. Instead of typing a password and then a code, you authenticate with your device’s biometrics — fingerprint, face scan, or hardware security key. One gesture. No codes. No phishing possible because the credential is bound to the domain.
Miru now supports passkey sign-in alongside traditional password + TOTP. You can use either. You can use both. The passkey option shows up on the sign-in page if your browser supports WebAuthn (Chrome, Safari, Firefox, and Edge all do).
For teams that standardize on hardware keys like YubiKeys, this is the setup you’ve been waiting for.
What’s Not Here Yet
SSO and SAML. If you’re a larger organization that manages authentication through Okta, Azure AD, or Google Workspace, we hear you. SSO is on the roadmap for the Enterprise plan. It’s the kind of feature that requires careful implementation — getting the session lifecycle, provisioning, and de-provisioning right matters more than shipping it fast.
For now, 2FA via authenticator apps and passkeys covers the vast majority of teams. It’s a massive improvement over password-only access, and it’s available today on every plan, including the free tier.
Turn It On
Go to your profile settings. It takes sixty seconds. The security of your clients’ financial data shouldn’t depend on whether someone reused a password from a 2019 LinkedIn breach.
Your data deserves better than a single password. Now it has it.
Vipul A M
Co-founder at Saeloun. Building Miru. Rails contributor. Shipping from Pune, India.
Read next
The Floating Timer: Track Time Without Leaving Your Current View
New in Miru: a floating timer that lives on every page. Start, pause, stop, and save without navigating away from what you're doing.
Miru Mobile App Preview: Track Time From Your Phone
We're building a mobile app with Expo. Today view, Week view, offline support. Here's what it looks like and when you can get it.
AI-Tagged Time Entries: Know Which Hours Were AI-Assisted
Time entries created via CLI with AI tools like Claude Code now get automatically tagged. See exactly which work was AI-assisted.