prospiq doesn't use passwords. That removes the most attacked surface in any SaaS product — but it means account security depends on the upstream account or inbox you use to sign in. Here's how to keep your prospiq account safe in practice.
How sign-in works on prospiq
There are three ways to sign in to prospiq, and they're all password-less:
- Google OAuth — sign in with your Google account (personal Gmail or Google Workspace)
- Microsoft OAuth — sign in with your Microsoft account (personal or Microsoft 365)
- Email magic link — enter your email and click the one-time sign-in link we send you
We deliberately don't offer email-and-password sign-in. Passwords are the most attacked thing in any SaaS app — reused, phished, leaked at scale. By delegating authentication to identity providers (Google, Microsoft) or to your own inbox (magic link), we get stronger authentication than we could build, and there's no prospiq password for an attacker to guess or phish.
What this means in practice:
- There's no prospiq password to manage, reset, or rotate
- If your Google or Microsoft account is revoked, your prospiq access goes with it automatically
- If you use the magic link, security depends on your email account's own protections
- Two-factor authentication, hardware keys, and conditional access policies you've set on your Google, Microsoft, or email account apply to prospiq downstream
Secure the account you sign in with
Since prospiq is only as secure as your sign-in method, the highest-leverage thing you can do is harden whichever account or inbox you use:
If you use Google or Microsoft OAuth
- Turn on two-factor authentication. Use an authenticator app (Google Authenticator, Microsoft Authenticator, 1Password) rather than SMS — SMS is significantly weaker against modern attacks.
- Use a hardware security key if your role involves sensitive data. Both providers support YubiKeys and similar devices.
- Run the periodic security check. Google has Security Checkup; Microsoft has a similar account dashboard. Every few months is enough.
- Pay attention to sign-in alerts. Both providers will notify you of new device sign-ins or unusual locations.
If you use email magic link
The magic link is delivered to your inbox. Whoever can read your inbox can sign in to prospiq. So:
- Make sure your email account has two-factor authentication enabled — this is the most important step
- Don't use a shared inbox for prospiq sign-in (a team-wide
team@company.comaddress is not appropriate) - Don't sign in from devices you don't trust — the magic link can be forwarded, screenshotted, or read by anyone with access to your email at that moment
- Sign out of email on shared computers before walking away
The magic link itself is single-use and expires quickly. Once you've clicked it, it can't be reused. But the email containing the link sits in your inbox until you delete it, so treat it like any other sensitive email.
Don't share your account
Each prospiq account is intended for one person. If you have a team, use the team add-on — it gives each member their own login (through their own OAuth or magic-link email), their own credit tracking, and removes the risk of shared credentials.
Shared sign-ins are a security problem and an operational one: when someone leaves, you have to coordinate the change with everyone; when someone uses too many credits, you can't tell who did it; when someone's identity is compromised, the whole team is exposed.
Recognize phishing attempts
prospiq will never email you asking for:
- A click-through to "verify" your account outside of the normal magic-link flow
- Your full payment card details
- Confirmation of credentials of any kind
Legitimate magic-link emails from us come from a sending address ending in @prospiq.net (or our sender domain prospiq.co), and the link inside points to prospiq.net. Anything else claiming to be a prospiq sign-in is suspicious.
When in doubt, don't click the link in the email. Open a new tab, type prospiq.net manually, and request a fresh magic link or sign in through Google or Microsoft. If there's a real notification, you'll see it in the app.
The same goes for phishing emails that pretend to be from Google or Microsoft. Both providers have official paths for security notifications — when in doubt, sign in to your Google or Microsoft account directly rather than clicking links in email.
Watch for suspicious activity
Sign in to your prospiq account periodically and check:
- Your recent search history — anything you didn't run?
- Your team members list (if you're a team owner) — anyone you didn't invite?
- Your API keys (if applicable, Pro plan) — any keys you don't recognize?
If something looks wrong:
- Review your upstream account — your Google, Microsoft, or email account is the root. If it's compromised, prospiq is downstream.
- Rotate any prospiq API keys you have
- Email security@prospiq.net with what you saw
We respond to suspected compromise reports quickly and confidentially.
What we do on our side
- All sign-ins are password-less — we never see or store a password
- OAuth tokens are scoped to the minimum we need and not retained longer than required
- Magic links are single-use, time-limited, and bound to the email address that requested them
- We log sign-in events and unusual activity patterns for security review
- We rate-limit authentication attempts to slow down abuse
- We never email or call you asking for credentials
See the security page for more detail on the infrastructure side.
If you think your account was compromised
- Change the password on your upstream account — Google, Microsoft, or the email account where you receive magic links
- Sign out of all sessions in your upstream account settings
- Rotate any prospiq API keys you have
- Review your recent prospiq activity for anything unfamiliar
- Email security@prospiq.net — we'll help investigate and lock things down on our side
We treat suspected compromise reports seriously and act fast. Acknowledgment within one business day, action within five.