Account security
Last updated
Your Asterune account is yours alone, and keeping it secure protects your profile, your Runes, and anything you've created. This page covers the security tools available to you and the habits that keep your account safe.
Use a strong, unique password
Your password is the first line of defence for your account. We recommend:
- A unique password that you don't use anywhere else. If another site is breached, a reused password puts your Asterune account at risk
- Length over complexity β a longer passphrase is harder to guess than a short string of symbols
- A password manager to generate and store a strong password so you don't have to remember it
You can change your password at any time from Settings β Security β Password. If you've forgotten it, see Account recovery.
Turn on two-factor authentication (2FA)
Two-factor authentication adds a second step when you sign in, so that knowing your password alone is not enough to access your account. We strongly recommend enabling it. Asterune supports the following methods, which you can manage from Settings β Security β Two-factor authentication:
- Authenticator app (recommended) β generate time-based codes with an app such as Google Authenticator, Authy, or 1Password. This is the most secure of the standard options and works even without a network connection
- Passkeys and security keys β sign in with a passkey stored on your device, or a hardware security key (such as a YubiKey). Passkeys use your device's biometrics or PIN and are highly resistant to phishing
- Email OTP β receive a one-time code at your account email address when you sign in (requires a verified email)
For the strongest protection, set up a passkey or an authenticator app rather than relying on Email OTP alone.
Note: A verified phone number is used for voice chat access, not for two-factor authentication. Asterune does not send 2FA codes by SMS.
Set up more than one method
We recommend enabling more than one sign-in method so you're never locked out if you lose access to one. For example, register a passkey and an authenticator app, or keep Email OTP available as a fallback (this requires a verified email). Having a second method is the simplest way to avoid getting locked out β see Account recovery for what to do if you lose access to all of them.
Verify your email address
A verified email is essential for account recovery and for receiving important security notifications. If your email is unverified, go to Settings β Security β Email to send yourself a verification link. Keep the email address on your account up to date so you never lose access to recovery.
Review your active sessions
You can see where your account is currently signed in from Settings β Sessions. Each entry shows the device and approximate location. If you see a session you don't recognise:
- Revoke that session to end its access immediately
- Change your password
- Review the steps in Account recovery
The Sign out everywhere option signs out all other sessions at once β a quick way to lock out anyone who may have gained access.
Recognise official communications
Asterune and Solarius staff will never ask you for your password, your two-factor codes, your recovery codes, or a Parent PIN. Legitimate emails come from addresses ending in @solarius.me, and official links point to asterune.com or solarius.me.
If you receive a message asking for any of these, or offering free Runes in exchange for your login details, it is a scam. See Scams and phishing to learn how to spot and report them.
If you think your account is compromised
If you notice changes you didn't make, can't sign in, or see unfamiliar purchases, act quickly. Follow the steps in Account recovery and contact us right away.
Getting help
If you're having trouble securing your account, or you believe it has been accessed without your permission, contact us at Solarius support with the email address on your account. For security concerns involving threats or other users, you can also reach our safety team at [email protected].