Lost 2FA device — recovery

If you've lost your phone with the authenticator app OR can't access TOTP codes: 3 recovery options depending on what you set up at 2FA configuration. Recovery flows backed by BetterAuth's 2FA endpoints (apps/backend/src/lib/better-auth/). After successful recovery: immediately re-enable 2FA on a new device + save new backup codes safely.

Who is this for

Anyone who can't enter their 2FA code at login. Phone lost, app deleted, codes inaccessible.

Option 1: Backup codes (recommended)

If you saved backup codes at 2FA setup (team-114):

Step 1: At login

After entering email + password, you'll see the 2FA prompt.

Step 2: Use backup code instead

Click "Use backup code" (or similar — label may vary).

Step 3: Enter one backup code

Backup codes are typically 8-character single-use codes (e.g. XK9P-2QM7). Enter one of yours.

Backend: POST /api/v1/auth/2fa/verify-backup-code (BetterAuth).

Step 4: Logged in + code consumed

You're in. The backup code is consumed (single-use). You typically have 8-10 backup codes total; consumed code is removed from the valid set.

Step 5: Immediately re-enable 2FA

/settings → Security → 2FA → disable + re-enable with a new device → save fresh backup codes.

Option 2: Email OTP fallback

If your workspace has email-OTP fallback enabled (admin-level setting):

Step 1: At login

At the 2FA prompt, click "Email me a code" (or similar).

Step 2: Receive email

Backend: POST /api/v1/auth/2fa/email-otp. Email sent to your registered address with a one-time code (typically 6 digits, valid ~10 min).

Step 3: Enter the code

Type the code from email in the 2FA prompt.

Step 4: Logged in

You're in. Re-enable 2FA on new device + save backup codes.

Note: this option requires the workspace admin to have enabled 2fa.email_otp in workspace settings. If you don't see the email option: not enabled — use option 1 or 3.

Option 3: Admin-assisted reset (last resort)

If neither backup codes nor email OTP available:

Step 1: Contact workspace admin / owner

Workspace super_admin or owner can disable 2FA for any user (admin override).

Step 2: Admin disables 2FA

/settings → Team → Members → find your user → Reset 2FA (or similar).

Backend: admin-only route to clear user.two_factor_enabled = false.

Step 3: You log in (no 2FA prompt)

Log in with email + password (no 2FA required this time).

Step 4: IMMEDIATELY re-enable 2FA

/settings → Security → 2FA → enable on new device → save backup codes.

Why this is last resort:

• Requires admin attention

• Brief security window where account has no 2FA

• Admin must verify your identity (avoid social engineering attacks)

Best practices

Save backup codes at setup

At 2FA initial setup (team-114), Wevion shows backup codes ONCE. Save them:

• Print + store in physical safe

• Save in password manager (1Password, Bitwarden, etc.)

• NEVER store in plaintext on the device with the authenticator app

• NEVER share via chat / email

Use multiple authenticator devices

Some authenticator apps (Authy, 1Password, Bitwarden, Google Authenticator with cloud backup) support syncing across devices. Reduces "lost phone = lost 2FA" risk.

Periodic test

Once per quarter: do a fake password reset → verify you can complete 2FA. Catches device / app issues early.

Multi-admin workspace

If you're a solo super_admin and lose 2FA: NO ONE can reset you via UI. Add a backup admin BEFORE this happens.

For solo accounts: contact Wevion support for identity-verified reset (slow process).

Security considerations

2FA recovery is a sensitive operation. Be cautious of:

• Social engineering: someone pretending to be you to get admin to disable your 2FA

• Email account compromise: if attacker controls your email, email OTP path is exposed

• Backup code theft: secured storage matters

If you suspect compromise during recovery: change password + rotate API keys + check audit log (/api/v1/audit-logs).

Common questions

Can I use Google authenticator with another account?

Yes, but if you didn't transfer the Wevion TOTP secret: it won't work. Standard TOTP rotation (re-enable on new device).

What if I had Authy on cloud sync — won't it auto-restore?

Yes — Authy syncs TOTP secrets. After installing Authy on new device + entering Authy credentials, your Wevion TOTP entry should re-appear. Test before assuming.

Backup codes ran out?

Generate new backup codes: /settings → Security → 2FA → Regenerate backup codes. Old codes invalidated.

Did the admin see my codes?

No. Admin reset disables 2FA on backend; admin doesn't see your secret or codes.

Common issues

• "Backup code invalid": code already used (single-use) OR typo OR codes were regenerated. Try another OR use option 2/3.

• Email OTP didn't arrive: check spam, allowlist noreply@wevion.ai. If still no: option 1 or 3.

• Admin says they can't reset 2FA: workspace policy may restrict admin override. Contact Wevion support directly.

• After reset, can't re-enable 2FA: clear browser cache, try again. If persistent: contact support.

Related

• 2FA setup — initial setup + backup codes

• Account locked — non-2FA lockout flow

• Contacting support — when admin can't help