Help Center

Docs

Sign-In Methods

The Settings > Security page shows your primary sign-in method and any backup password. Add, change, or remove each from here.

Overview

How you get into your account in the first place.

The Sign-in methodssection on Settings > Security shows your primary sign-in method and, when applicable, a backup password. Every Laureo account is pinned to a single primary method — Google, Microsoft, or email and password — and that is the method you sign in with from then on. See Primary and Backup Sign-In for the why.

Your account always keeps at least one method
The page blocks you from unlinking or removing your only sign-in method. It also prevents you from unlinking the provider marked as your primary. Without these guardrails, losing a single identity could lock you out permanently.

What Each Card Shows

The Password card sits at the top; the OAuth provider rows sit underneath.

Password

Labeled Password if your primary is email and password, and Backup password if your primary is Google or Microsoft and you have added a fallback password. Status is Active when a password is set or Not set when you only sign in through a provider. The action button reads Change password when one is set; if you are OAuth-primary with no backup password, it reads Set backup password and routes you through the forgot-password flow.

Google

Sign in with your Google account. The row shows either Linked or Not connected. When the Google row is your primary, a Primary badge appears next to the label and the Unlink button is disabled with a tooltip that reads "This is your primary sign-in method and cannot be unlinked." A green checkmark indicates a linked identity.

Microsoft

Sign in with your Microsoft or Azure AD account. Same row pattern as Google — shows Linked or Not connected, surfaces the Primary badge when applicable, and disables Unlink on the primary identity.

If your primary is Google or Microsoft, only that row appears
When your primary provider is Google or Microsoft, the OTHER OAuth provider row is hidden — you cannot add it as a second sign-in. To switch primary providers, an administrator must use the admin migration flow. See Changing Your Sign-In Method.

If your primary sign-in method is email and password, you can link oneOAuth provider — either Google or Microsoft. After linking, that provider button on the sign-in page works for you, but your account is still email-primary and the OTHER provider stays hidden. Linking a provider also creates an integration token that the inbox and calendar use, so you do not need to connect the integration separately. See Primary and Backup Sign-In.

1

Click Link Google or Link Microsoft

The button is on the right of the provider row. If your primary is Google or Microsoft, only the primary row is shown — the other row is hidden and there is no Link button to click.
2

Complete the provider sign-in

You are redirected to Google or Microsoft to authorize the link. Sign in as the account you want to attach.
3

Return to Settings > Security

You are redirected back. The provider row now shows Linked with a green checkmark.
Why link a provider if I am email-primary?
Two practical reasons: (1) one-click sign-in via that provider, instead of typing email and password every time, and (2) the inbox and calendar can read your email and meetings without a separate integration step in Settings > Integrations.
1

Click Unlink

The Unlink button is on the right of the linked provider row. If the linked row is your primary sign-in method, or if this would leave you with zero sign-in methods, the button is disabled and a tooltip explains why.
2

Re-verify with step-up reauth

Removing a sign-in method weakens your account, so the app asks you to verify it is really you first. Use your password, authenticator, or passkey.
3

Confirm in the dialog

The dialog reminds you that you will no longer be able to sign in through that provider. Confirm to proceed.
4

Provider is removed

The row flips back to "Not connected" and the Link button is active again.
The unlink guardrails
Two cases disable the Unlink button: (1) the row is your primary sign-in method — tooltip reads "This is your primary sign-in method and cannot be unlinked", and (2) unlinking would leave you with no way to sign in — tooltip reads "This is your only sign-in method. Add a password or another provider before unlinking." For case (1), an administrator must run the sign-in migration; see Changing Your Sign-In Method.

Setting a Backup Password on an OAuth-Primary Account

If your primary is Google or Microsoft, you can add a backup password as a fallback.

OAuth-primary accounts are fully functional — you do not need a password. But adding a backup passwordgives you a second way in if your provider has an outage or your Google / Microsoft account changes. The action is on the Password card at the top of the Sign-in & verification section, and it routes through the forgot-password flow because it requires verification by email.

1

Set up two-factor authentication first

A backup password without 2FA is a brief-inbox-access bypass of your provider. The flow refuses to proceed until at least one MFA factor is enrolled. See Two-Factor Authentication.
2

Click Set backup password

The Set backup password button is only shown when no password is set on an OAuth-primary account. It routes you to the forgot-password page.
3

Confirm your identity by email

You receive a link at your primary email address. Clicking the link returns you to a page where you can choose the backup password.
4

Enter the new password

The new password must meet the same policy rules that apply at signup — length, character variety, and rejection of leaked or obvious passwords.
5

Save

Once saved, the Password card flips to "Backup password — Active" and the action button becomes Change password.

Changing Your Password

Rotate your password when you suspect it is compromised or just as routine hygiene.

1

Click Change password

The button is on the right of the Password card.
2

Re-verify with step-up reauth

The app asks you to prove it is you. Use your current password, an authenticator, or a passkey.
3

Enter the new password

Same policy rules as signup. The form rejects weak, reused, or known-leaked passwords.
4

Save and optionally sign out other devices

After a successful change, consider running Sign out other sessions from the Active sessions card so any device that had the old password is kicked off.
Password policy
The new-password form applies the same validation as the signup page: a minimum length, a mix of character types, and rejection of passwords that appear in known-breach datasets. If the form rejects a password, try one that is longer or more unusual rather than tweaking capitalization.

Common Error Messages

What the warnings on this card actually mean.

  • "This is your primary sign-in method and cannot be unlinked" — The primary-provider guardrail. To change your primary, an administrator must run the migration flow.
  • "This is your only sign-in method" — The zero-methods guardrail. Add a password or link another provider before unlinking.
  • "Failed to start link flow" — The provider redirect could not be constructed. Try again; if it persists, check for browser extensions blocking cross-site requests.
  • "Failed to unlink identity" — The backend rejected the unlink, usually because the request ran after the zero-methods count would have been violated (race condition). Reload the page and try again.

Related Articles

Primary and Backup Sign-InChanging Your Sign-In MethodTwo-Factor AuthenticationActive Sessions
Previous
Active Sessions
Next
Primary and Backup Sign-In