How Can I Access My Email If I Have Lost My Recovery Codes?
Whenever you get the chance, you should use two-factor authentication to protect your various accounts. This is a no brainer. However, I also appreciate services that try to increase the security of your account on your behalf – for example, requiring you to enter a special one-time code even to reset your password (preventing anyone who has managed to access your email).
There is one small catch for 2FA and similar security measures. For most services, forgetting your password is not so important. You provide the service with your email address or user ID, perhaps even confirm some details about yourself, and receive a reset link in your email. Light.
Lose the device that generates your two-factor authentication codes – or any other special codes needed to access or reset your account – and you’re in a much more dangerous place. As Lifehacker reader Sean explains in this week’s Tech 911 issue:
I have an active email account on the tutanota email address system which I cannot get. I made the mistake of not writing down the password as I saved it in short-term memory as I went to the library every day, so I used it every day until it closed. I didn’t know the password could not be recovered and you need a 4 digit recovery code to reset your password to recover your account. They say there is nothing they can do, and they never emailed me a recovery code, even though they said I was. I don’t want an account in their system that has more than 4 months of spam and important emails in its mailbox. I created this account, but it should be temporary until I can restore another. Then I will clean out my spam folder, process the emails in my inbox, and then cancel the account and create a new account on another system. It’s a German email address, and I’m more or less lucky they didn’t block me. If you can help, let me know.
Always, always write down your recovery codes
I’m going to start by doing something that I don’t usually do. Stop reading this column. Full stop. Think about the accounts you care about the most, especially if you’ve secured them with two-factor authentication. If you are unsure what those might be, check out this site to see if any of your most used sites are likely to use 2fa.
Now if something hit a fan with one of your accounts today and you had to use a recovery code to get back to your accounts, do you know where those recovery codes are? Did you know that you would need recovery codes to get back to your 2FA protected accounts? Have you ever tried to reset your password for services such as email, note-taking or cloud storage and seen what might be asked of you?
Confession time. I am lazy about this because I am confident that I will always have my 2FA codes on hand when I need them. So whenever I set up 2FA on a new site, I invariably say, “Oh, I’ll just save these recovery codes for later.” I never do. In fact, I couldn’t even tell you how many recovery codes on sites I probably need to save somewhere. I could find this by simply listing all the services associated with my Authy app, but then I have to log into each one, visit my account settings, find recovery codes and …
Seriously, write down the recovery codes
The above is exactly the kind of thinking that you and I need to dissuade, because such codes are critical. I cannot highlight this word sufficiently. Critical. I don’t have a great answer for Sean because it’s a pretty simple problem: if you lose your Tutanota password, the only way to reset your password and regain access to your account is to provide this recovery key. That’s all. Tutanota is very clear about this:
We have developed a secure design that allows you to reset your Tutanota login credentials without giving anyone the opportunity to abuse this feature.
Basically, the construction looks like this: when you register a new account or when you start the process of generating a recovery code for an existing account, Tutanota generates an additional code that encrypts your private key.
This code, like your password, can decrypt your private key and thus your encrypted emails and contacts stored in Tutanota. This is why you – and only you – can reset your Tutanota password using a recovery code.
In this case, if you also use two-factor authentication to protect Tutanota logins, you will need to provide two of three pieces of information to reset your account: your password or correct 2FA key, and your recovery. key.
I admit I like this setting because it is much safer than the default “send you a reset link by email” setting I mentioned earlier. However, this makes the recovery code even more important than ever before. Lose it or forget to write it down and you’d better remember your password or save it in another secure program like password manager . Otherwise, you are stuck and it is by design. If it was easy to get back to a locked account, for example by sending an email to customer support, wouldn’t it be just as easy for an attacker with some of your data stolen in a recent hack to do the same?
While I can’t help Sean this time, I think his example is a great reminder of the power of recovery keys. We are all forgetful or lazy to write them down, but we absolutely need to. The cost of inaction is too high.
And please don’t just save your recovery keys to another online account that you may not be able to access for some reason in the future. Print them out. Write them down in a notebook and keep them in your desk drawer. Save them to a text file and copy them onto a USB key that you will attach to your desk. Email them to your spouse.
You have many options, and “ignore them” is not the option that will work. You might be fine in the short term, but I guarantee you will need at least one of these recovery keys at some point. And when you don’t, poof! your account goes. You can prevent this right now with just an hour or so.