PG Logo
  • Business Insider
  • Gizmodo
  • Kotaku
  • OpenAir Cinemas
  • Pedestrian.TV
  • Popsugar
Logo Level Up Your Life
Subscribe
  • Life
    • Money
    • Home
    • Entertainment
    • Travel
    • Health
    • Design
    • View All Life
  • Work
    • Productivity
    • Communicate
    • Organise
    • Career
    • Business Travel
    • Security
    • Small Business & Startups
    • View All Work
  • Deals
  • Coupons
  • Makes Cents
  • Life
    • Money
    • Home
    • Entertainment
    • Travel
    • Health
    • Design
    • View All Life
  • Work
    • Productivity
    • Communicate
    • Organise
    • Career
    • Business Travel
    • Security
    • Small Business & Startups
    • View All Work
  • Deals
  • Coupons
  • Makes Cents

Want Lifehacker's email newsletter?

Follow us, subscribe and get in touch

  • Contact Lifehacker Australia
  • Facebook
  • Twitter
  • Instagram
  • Youtube
  • Linkedin
  • RSS

Recent Posts

How to Set Up Google Calendar’s ‘Offline Mode’
Screenshot: David Murphy
How to Set Up Google Calendar’s ‘Offline Mode’
Can’t Get a Good Night’s Sleep? Your Teeth May Be to Blame
Getty
Can’t Get a Good Night’s Sleep? Your Teeth May Be to...
The Best Desk Accessories for Working at Home
Image: iStock/PeopleImages
The Best Desk Accessories for Working at Home
How Effective Are at-Home Laser Hair Removal Devices?
Image: iStock
How Effective Are at-Home Laser Hair Removal Devices?
Why You Should Use a Smart Meat Thermometer
Getty Images
Why You Should Use a Smart Meat Thermometer

Deals

The Best Desk Accessories for Working at Home
Image: iStock/PeopleImages

The Best Desk Accessories for Working at Home

How Effective Are at-Home Laser Hair Removal Devices?
Image: iStock
How Effective Are at-Home Laser Hair Removal Devices?
The At-Home Gym Equipment That’ll Take Your Workout to the Next Level
The At-Home Gym Equipment That’ll Take Your Workout to the Next...
Bubble Tea Ice Cream Has Just Landed at Supermarkets So We’ll Meet You in the Freezer Aisle
Image: Buono
Bubble Tea Ice Cream Has Just Landed at Supermarkets So We’ll...
Boil up Your Best Brew Yet With One of These Smart Kettles
Image: iStock
Boil up Your Best Brew Yet With One of These Smart...

Sponsored Articles

How Do I Get Into My Email If I’ve Lost My Recovery Codes?

Share

David Murphy

Published 6 months ago: August 7, 2020 at 11:00 pm -
Filed to:account
passwordrecovery codetwo factor authentication
How Do I Get Into My Email If I’ve Lost My Recovery Codes?
Screenshot: David Murphy

Whenever you get the chance, you should use two-factor authentication to secure your various accounts. That’s a no-brainer. However, I also appreciate services that try to enhance your account security on your behalf ” like, for example, requiring you to input a special one-time code to even reset your password (thwarting anyone who has managed to gain access to your email).

There’s one little catch to 2FA and similar security measures like these. For most services, forgetting your password isn’t that big of a deal. You give the service your email address or user ID, perhaps even confirm some data about you, and you get a reset link in your email. Easy.

Lose the device that generates your two-factor authentication codes ” or any other special codes you need to access your account or reset it settings ” and you’re in a much more precarious spot. As Lifehacker reader Shawn explains:

I have an active email account in an email address system called tutanota that I can’t retrieve. I made the mistake of not writing down the password since I committed it to short term memory since I was going to the library everyday, so I was using it everyday until it closed down. I didn’t know the password couldn’t be retrieved and you need a 4 digit recovery code to reset the password to retrieve the account. They say there’s nothing they can do and I was never emailed a recovery code despite them saying that I was. I don’t want an account lost forever in their system that has more than 4 months of spam and important emails in the inbox. I set up this account, but it’s only meant to be temporary until I can retrieve the other one. Then I’ll clean out the spam folder, tend to the emails in the inbox and then cancel out the account and set up a new account on another system. It’s a German email address and I’m lucky to a greater or lesser extent that I haven’t been barred by them. If you can help, let me know.

Always, always write down your recovery codes

I’m going to start by doing something I don’t normally do. Stop reading this column. Full stop. Think about the accounts that are most precious to you ” especially once that you’ve secured with two-factor authentication. If you’re not sure what those might be, consult this website to see if any of your most-used sites probably use 2FA.

Now, if something hit the fan with one of your accounts today, and you had to use a recovery code to get back into your accounts, do you know where those recovery codes are? Do you even know that you would have needed recovery codes to get back in to your 2FA-protected accounts? Have you ever tried to reset your password for services like your email, your note-taking app, or your cloud-based storage, and seen what they might require you to do?

Confession time. I’m lazy about this, because I have this belief that I’ll always have my 2FA codes on-hand whenever I need them. So whenever I set up 2FA on a new site, I invariably go, “Oh, I’ll just save those recovery codes later.” I never do. In fact, I couldn’t even tell you how many sites’ worth of recovery codes I probably need to save somewhere. I could look this up by simply listing out all the services associated with my Authy app, but then I’m going to have to log into each one, visit my account settings, go find the recovery codes, and…

Seriously, write down your recovery codes

The above is the exact kind of thinking that you and I need to talk ourselves out of, because these kinds of codes are critical. I cannot emphasise that word enough. Critical. I don’t have a great answer for Shawn, because it’s a pretty cut-and-dry problem: If you lose your Tutanota password, the only way you can reset your password and regain access to your account is to provide that recovery key. That’s it. Tutanota is very clear about this:

We have come up with a secure design that enables you to reset your Tutanota login credentials without giving anyone the possibility to abuse this feature.

Basically, the design is as follows: When you sign up for a new account or when you trigger the creation process of a recovery code for an existing account, Tutanota generates an additional code that encrypts your private key.

This code, just like your password, is able to decrypt your private key and, thus, your encrypted emails and contacts stored in Tutanota. That’s why you – and only you – are able to reset your Tutanota password with the help of the recovery code.

In this case, if you’re also using two-factor authentication to protect Tutanota logins, you’ll need to provide two out of three pieces of information to reset your account: your password or a correct 2FA key, as well as your recovery key.

I confess, I love this setup, because it is a lot more secure than the standard “email you a reset link” setup I previously mentioned. However, this does make that recovery code even more crucial than ever before. Lose it, or forget to write it down, and you better make sure you have your password memorized or stored in another secure program, such as a password manager. If not, you’re stuck, and that’s intentional. If it was easy to get back into a locked account by emailing customer service, for example, wouldn’t it be just as easy for an attacker with some data about you, stolen from some recent breach, to do the exact same thing?

While I can’t help out Shawn this time around, I think his example is a perfect reminder about the power of recovery keys. We’re all forgetful or lazy about writing them down, but we absolutely need to do that. The costs of not doing so are far too great.

And, please, don’t just save the recovery keys in another online account that you might be unable to access for any reason at some future point. Print them out. Write them down in a notebook and keep it in your desk drawer. Save them to a text file and copy them to a USB key that you keep chained to your desk. Email them to your spouse.

You have plenty of options, and “ignore them” isn’t an option that’s going to work. You might be fine in the short-term, but I guarantee you’re going to need at least one of these recovery keys at some point. And when you come up short, poof! goes your account. You can prevent that right now with just an hour or so of work, if that.


Do you have a tech question keeping you up at night? Tired of troubleshooting your Windows or Mac? Looking for advice on apps, browser extensions, or utilities to accomplish a particular task? Let us know! Tell us in the comments below or email [email protected].

Share this Story
Get our Newsletter Subscribe
There are no more articles to be viewed

© 2007 - 2021 Pedestrian Group

  • About
  • Advertise
  • Contact
  • Privacy Policy
  • Terms of Use

Log in to Lifehacker to:

  • Comment on stories

By logging in, you can access these features throughout our network.

Haven't registered? Sign up here
Lost your password? Click here to reset

Back to Login? Click here

Email newsletters will contain a brief summary of our top stories, plus details of competitions and reader events.

Back to Login? Click here

Subscribe to our newsletter!

Now you can get the top stories from Lifehacker delivered to your inbox. Enter your email below.

By subscribing you agree to our Terms of Use and Privacy Policy.