File:Password Safe Icon.svg

Account Recovery is the process of regaining access to accounts when primary authentication fails. Preparation before lockout determines whether recovery takes minutes or weeks.

The best recovery is one you never need:

• Password manager: Never forget passwords
• Hardware keys: Harder to lose than phones
• Multiple devices: 2FA on phone AND hardware key
• Documentation: Know your recovery paths before you need them

Option	Speed	Security	Setup Required
Backup hardware key	Instant	Excellent	Buy two, register both
Password manager	Instant	Good	Maintain synced backups
Backup codes	Instant	Good	Print and store securely
Recovery email	Minutes-hours	Moderate	Secure the recovery email too
Recovery phone	Minutes	Moderate	SIM swap risk
Support ticket	Days-weeks	Variable	Last resort

Your password manager is the master key:

• Use a strong master password you can remember
• Enable 2FA on the password manager itself
• Sync across devices
• Keep encrypted backup export

Backup procedure:
1. Export vault (encrypted)
2. Store in multiple locations
3. Test restore annually

See Yubikey for details.

Critical: Register TWO hardware keys everywhere.

• Keep one on keychain
• Keep backup in secure location
• Different physical locations preferred

Most services offer one-time backup codes:

• Generate when enabling 2FA
• Print on paper
• Store in secure physical location (not with your devices)
• Store encrypted copy in password manager

Storage options:
- Safe at home
- Safe deposit box
- With trusted person
- Fire-resistant bag in go-bag

Your recovery email needs to be:

• Separate from primary email (different provider)
• Protected with strong password + hardware key
• Rarely used (harder to compromise)
• Easy for you to access from anywhere

Common mistake: Using work email for personal account recovery. If you lose the job, you lose recovery.

Phone recovery is convenient but risky:

• SIM swap attacks: Attacker convinces carrier to transfer your number
• Phone loss/theft: Physical access to recovery
• Number recycling: Old numbers get reassigned

Mitigation:

• Add carrier PIN/password
• Use hardware key as primary 2FA
• Consider Google Voice or similar for recovery number

Critical account - protects Gmail, Drive, YouTube:

• Hardware keys (primary)
• Backup codes (printed)
• Recovery email (not Gmail)
• Recovery phone (with carrier PIN)
• Trusted contacts (can vouch for you)

If locked out:

1. Try backup codes
2. Try recovery email
3. Try recovery phone
4. Account recovery form (slow, not guaranteed)

• Trusted devices can approve new devices
• Recovery contacts (iOS 15+)
• Recovery key (optional, replaces other recovery)
• Account Recovery via trusted devices

Warning: Recovery key disables other recovery methods. Only use if you're confident in key security.

For developers, GitHub access is critical:

• Hardware keys (FIDO2)
• TOTP backup
• Recovery codes
• SSH keys (backup authentication method)

Banks vary widely:

• Phone verification common
• Security questions (use random answers stored in password manager)
• Branch visit may be required
• ID verification for major changes

Prepare a physical or encrypted digital kit:

Recovery Kit Contents:
- Backup codes for critical accounts (printed)
- Password manager master password hint
- Recovery email credentials
- Hardware key backup
- List of critical accounts and recovery methods
- Emergency contacts who can help
- Bank account numbers and phone numbers

Storage:

• Encrypted file in secure location
• Paper copy in safe
• Copy with trusted family member

Update annually.

1. Don't panic. Most lockouts are recoverable.
2. Verify the lockout. Wrong password? 2FA device issue? Account suspended?
3. Check other devices. Often you're still logged in somewhere.
4. Try recovery options in order. Don't skip to support ticket.

1. Backup hardware key
2. Other logged-in session
3. Password manager
4. Backup codes
5. Recovery email
6. Recovery phone
7. Support ticket (last resort)

Be prepared for:

• Identity verification
• Account history questions
• Document submission
• Multi-day wait times

Document everything: Ticket numbers, agent names, promises made.

Once you regain access:

1. Secure immediately: Change password, review sessions
2. Audit access: Check for unauthorized activity
3. Revoke sessions: Log out everywhere, start fresh
4. Update recovery: Fix whatever failed
5. Document lesson: What went wrong, how to prevent

Access to deceased person's accounts:

• Most services have deceased user policies
• Requires death certificate
• May require court order
• Plan ahead: include digital assets in estate planning

Work accounts:

• IT department is your recovery path
• Personal backup may not be possible
• Know your organization's policies
• Don't rely on work accounts for personal recovery

If locked out due to compromise:

• Recovery is more complex
• Attacker may have changed recovery options
• Support ticket required
• May need to prove identity extensively

See Digital Security Incident Runbook for full procedure.

• Key Management - Protecting your keys
• Yubikey - Hardware authentication
• PGP - Encrypted backup
• Digital Security Incident Runbook - When things go wrong

Security & Opsec
Crypto	PGP · PGP Communication Guide · Key Management
Incident	Security Incident Runbook · Threat Modeling · Account Recovery
Hardware	Flipper Zero · HackRF · Yubikey
Culture	Hacker Culture · Operational Security