Guide: MFA Recovery and Device Loss
Recovery flow using backup codes and verified-email recovery challenges.
- Primary recovery path: enter an unused backup code in MFA challenge step.
- Secondary recovery path: request email recovery token from sign-in MFA step.
- Recovery token is one-time, time-limited, and challenge-bound.
- If account email is not verified, email recovery is unavailable.
- After recovery, rotate backup codes and review trusted devices.