How Do I Get Into My Email If I've Lost My Recovery Codes?


Illustration for article titled How Do I Get Into My Email If Ive Lost My Recovery Codes?
Screenshot: David Murphy
Tech 911Tech 911Do you have a tech question keeping you up at night? We'd love to answer it! Email david.murphy@lifehacker.com with "Tech 911" in the subject line.

Whenever you get the chance, you should use two-factor authentication to secure your various accounts. That’s a no-brainer. However, I also appreciate services that try to enhance your account security on your behalf—like, for example, requiring you to input a special one-time code to even reset your password (thwarting anyone who has managed to gain access to your email).

There’s one little catch to 2FA and similar security measures like these. For most services, forgetting your password isn’t that big of a deal. You give the service your email address or user ID, perhaps even confirm some data about you, and you get a reset link in your email. Easy.

Lose the device that generates your two-factor authentication codes—or any other special codes you need to access your account or reset it settings—and you’re in a much more precarious spot. As Lifehacker reader Shawn explains in this week’s Tech 911 question:

I have an active email account in an email address system called tutanota that I can’t retrieve. I made the mistake of not writing down the password since I committed it to short term memory since I was going to the library everyday, so I was using it everyday until it closed down. I didn’t know the password couldn’t be retrieved and you need a 4 digit recovery code to reset the password to retrieve the account. They say there’s nothing they can do and I was never emailed a recovery code despite them saying that I was. I don’t want an account lost forever in their system that has more than 4 months of spam and important emails in the inbox. I set up this account, but it’s only meant to be temporary until I can retrieve the other one. Then I’ll clean out the spam folder, tend to the emails in the inbox and then cancel out the account and set up a new account on another system. It’s a German email address and I’m lucky to a greater or lesser extent that I haven’t been barred by them. If you can help, let me know.

Always, always write down your recovery codes

I’m going to start by doing something I don’t normally do. Stop reading this column. Full stop. Think about the accounts that are most precious to you—especially once that you’ve secured with two-factor authentication. If you’re not sure what those might be, consult this website to see if any of your most-used sites probably use 2FA.

Now, if something hit the fan with one of your accounts today, and you had to use a recovery code to get back into your accounts, do you know where those recovery codes are? Do you even know that you would have needed recovery codes to get back in to your 2FA-protected accounts? Have you ever tried to reset your password for services like your email, your note-taking app, or your cloud-based storage, and seen what they might require you to do?

Confession time. I’m lazy about this, because I have this belief that I’ll always have my 2FA codes on-hand whenever I need them. So whenever I set up 2FA on a new site, I invariably go, “Oh, I’ll just save those recovery codes later.” I never do. In fact, I couldn’t even tell you how many sites’ worth of recovery codes I probably need to save somewhere. I could look this up by simply listing out all the services associated with my Authy app, but then I’m going to have to log into each one, visit my account settings, go find the recovery codes, and...

Seriously, write down your recovery codes

The above is the exact kind of thinking that you and I need to talk ourselves out of, because these kinds of codes are critical. I cannot emphasize that word enough. Critical. I don’t have a great answer for Shawn, because it’s a pretty cut-and-dry problem: If you lose your Tutanota password, the only way you can reset your password and regain access to your account is to provide that recovery key. That’s it. Tutanota is very clear about this:

We have come up with a secure design that enables you to reset your Tutanota login credentials without giving anyone the possibility to abuse this feature.

Basically, the design is as follows: When you sign up for a new account or when you trigger the creation process of a recovery code for an existing account, Tutanota generates an additional code that encrypts your private key.

This code, just like your password, is able to decrypt your private key and, thus, your encrypted emails and contacts stored in Tutanota. That’s why you - and only you - are able to reset your Tutanota password with the help of the recovery code.

In this case, if you’re also using two-factor authentication to protect Tutanota logins, you’ll need to provide two out of three pieces of information to reset your account: your password or a correct 2FA key, as well as your recovery key.

I confess, I love this setup, because it is a lot more secure than the standard “email you a reset link” setup I previously mentioned. However, this does make that recovery code even more crucial than ever before. Lose it, or forget to write it down, and you better make sure you have your password memorized or stored in another secure program, such as a password manager. If not, you’re stuck, and that’s intentional. If it was easy to get back into a locked account by emailing customer service, for example, wouldn’t it be just as easy for an attacker with some data about you, stolen from some recent breach, to do the exact same thing?

While I can’t help out Shawn this time around, I think his example is a perfect reminder about the power of recovery keys. We’re all forgetful or lazy about writing them down, but we absolutely need to do that. The costs of not doing so are far too great.

And, please, don’t just save the recovery keys in another online account that you might be unable to access for any reason at some future point. Print them out. Write them down in a notebook and keep it in your desk drawer. Save them to a text file and copy them to a USB key that you keep chained to your desk. Email them to your spouse.

You have plenty of options, and “ignore them” isn’t an option that’s going to work. You might be fine in the short-term, but I guarantee you’re going to need at least one of these recovery keys at some point. And when you come up short, poof! goes your account. You can prevent that right now with just an hour or so of work, if that.

Do you have a tech question keeping you up at night? Tired of troubleshooting your Windows or Mac? Looking for advice on apps, browser extensions, or utilities to accomplish a particular task? Let us know! Tell us in the comments below or email david.murphy@lifehacker.com.