Lost 2FA device — recovery
2FA recovery options: backup codes, email OTP fallback where available, and manual support recovery when all factors are lost.
Written By Salvatore Sinigaglia
Last updated About 1 hour ago
2FA recovery options: backup codes, email OTP fallback where available, and manual support recovery when all factors are lost.
Lost 2FA device — recovery
If you've lost your phone with the authenticator app OR can't access TOTP codes: use a backup code or email OTP fallback where available. If all factors are lost, contact support to start account recovery.
Who is this for
Anyone who can't enter their 2FA code at login. Phone lost, app deleted, codes inaccessible.
Option 1: Backup codes (recommended)
If you saved backup codes at 2FA setup (team-111):
Step 1: At login
After entering email + password, you'll see the 2FA prompt.
Step 2: Use backup code instead
Click "Use backup code" (or similar — label may vary).
Step 3: Enter one backup code
Backup codes are typically 8-character single-use codes (e.g. XK9P-2QM7). Enter one of yours.
Backend validation uses POST /api/v1/auth/2fa/validate for supported 2FA methods in the current route.
Step 4: Logged in + code consumed
You're in. The backup code is consumed (single-use). Current setup generates 8 backup codes; consumed code is removed from the valid set.
Step 5: Immediately re-enable 2FA
/settings → Security → 2FA → disable + re-enable with a new device → save fresh backup codes.
Option 2: Email OTP fallback
If your workspace has email-OTP fallback enabled (admin-level setting):
Step 1: At login
At the 2FA prompt, click "Email me a code" (or similar).
Step 2: Receive email
Backend: POST /api/v1/auth/2fa/email-otp. Email sent to your registered address with a one-time code (typically 6 digits, valid ~10 min).
Step 3: Enter the code
Type the code from email in the 2FA prompt.
Step 4: Logged in
You're in. Re-enable 2FA on new device + save backup codes.
Note: this option requires the workspace admin to have enabled 2fa.email_otp in workspace settings. If you don't see the email option: not enabled — use option 1 or 3.
Option 3: Manual support recovery (last resort)
If neither backup codes nor email OTP available:
Step 1: Contact support
If neither backup codes nor email OTP are available, contact support. The team will guide you through identity verification and the recovery steps that apply to your account.
Step 2: Do not rely on admin reset
Do not document a workspace-admin "Reset 2FA" button or route unless it exists in the current backend/frontend.
Step 3: IMMEDIATELY re-enable 2FA after recovery
/settings → Security → 2FA → enable on new device → save backup codes.
Why this is last resort:
- Requires admin attention
- Brief security window where account has no 2FA
- Admin must verify your identity (avoid social engineering attacks)
Best practices
Save backup codes at setup
At 2FA initial setup (team-111), Wevion shows backup codes ONCE. Save them:
- Print + store in physical safe
- Save in password manager (1Password, Bitwarden, etc.)
- NEVER store in plaintext on the device with the authenticator app
- NEVER share via chat / email
Use multiple authenticator devices
Some authenticator apps (Authy, 1Password, Bitwarden, Google Authenticator with cloud backup) support syncing across devices. Reduces "lost phone = lost 2FA" risk.
Periodic test
Once per quarter: do a fake password reset → verify you can complete 2FA. Catches device / app issues early.
Multi-admin workspace
If you're a solo super_admin and lose 2FA, there may be no self-service workspace admin recovery path. Add a backup admin BEFORE this happens and keep backup codes safe.
For solo accounts: contact Wevion support for identity-verified reset (slow process).
Security considerations
2FA recovery is a sensitive operation. Be cautious of:
- Social engineering: someone pretending to be you to obtain manual recovery
- Email account compromise: if attacker controls your email, email OTP path is exposed
- Backup code theft: secured storage matters
If you suspect compromise during recovery: change password + rotate API keys + check audit log (/api/v1/audit-logs).
Common questions
Can I use Google authenticator with another account?
Yes, but if you didn't transfer the Wevion TOTP secret: it won't work. Standard TOTP rotation (re-enable on new device).
What if I had Authy on cloud sync — won't it auto-restore?
Yes — Authy syncs TOTP secrets. After installing Authy on new device + entering Authy credentials, your Wevion TOTP entry should re-appear. Test before assuming.
Backup codes ran out?
Generate new backup codes: /settings → Security → 2FA → Regenerate backup codes. Old codes invalidated.
Did the admin see my codes?
No admin/support flow should expose your TOTP secret or backup codes. Any reset/recovery behavior must be verified against the current backend before being documented as self-service.
Common issues
- "Backup code invalid": code already used (single-use) OR typo OR codes were regenerated. Try another OR use option 2/3.
- Email OTP didn't arrive: check spam, allowlist
noreply@wevion.ai. If still no: option 1 or 3. - Admin says they can't reset 2FA: current product may not expose admin reset. Contact Wevion support directly.
- After reset, can't re-enable 2FA: clear browser cache, try again. If persistent: contact support.
FAQ
What's the fastest way to recover if I lost my 2FA device?
Use a backup code. At the login 2FA prompt, click "Use backup code" and enter one of the 8-character single-use codes you saved at setup; Wevion validates it via POST /api/v1/auth/2fa/validate. The code is then consumed. Log in, then immediately disable and re-enable 2FA on a new device to generate fresh backup codes.
Does Wevion offer an email code if I can't use my authenticator?
Only if your workspace enabled email-OTP fallback. When available, click "Email me a code" at the 2FA prompt; Wevion sends a one-time code (typically 6 digits, valid ~10 minutes) to your registered address via POST /api/v1/auth/2fa/email-otp. If you don't see the option, it isn't enabled — use a backup code or contact support.
What if I've lost my backup codes and email OTP isn't available?
Contact Wevion support for manual recovery. This is the last resort because it requires admin attention, involves identity verification to prevent social engineering, and briefly leaves the account without 2FA. Wevion does not promise a workspace-admin self-service 2FA reset unless a current route implements it, so don't rely on that path.
How should I store my 2FA backup codes?
Wevion shows backup codes only once at setup, so save them immediately: print and keep them in a physical safe, or store them in a password manager like 1Password or Bitwarden. Never keep them in plaintext on the same device as your authenticator app, and never share them via chat or email.
FAQ
What's the fastest way to recover if I lost my 2FA device?
Use a backup code. At the login 2FA prompt, click "Use backup code" and enter one of the 8-character single-use codes you saved at setup; Wevion validates it via POST /api/v1/auth/2fa/validate. The code is then consumed. Log in, then immediately disable and re-enable 2FA on a new device to generate fresh backup codes.
Does Wevion offer an email code if I can't use my authenticator?
Only if your workspace enabled email-OTP fallback. When available, click "Email me a code" at the 2FA prompt; Wevion sends a one-time code (typically 6 digits, valid ~10 minutes) to your registered address via POST /api/v1/auth/2fa/email-otp. If you don't see the option, it isn't enabled — use a backup code or contact support.
What if I've lost my backup codes and email OTP isn't available?
Contact Wevion support for manual recovery. This is the last resort because it requires admin attention, involves identity verification to prevent social engineering, and briefly leaves the account without 2FA. Wevion does not promise a workspace-admin self-service 2FA reset unless a current route implements it, so don't rely on that path.
How should I store my 2FA backup codes?
Wevion shows backup codes only once at setup, so save them immediately: print and keep them in a physical safe, or store them in a password manager like 1Password or Bitwarden. Never keep them in plaintext on the same device as your authenticator app, and never share them via chat or email.
Steps
- After entering email + password, you'll see the 2FA prompt.
- Click "Use backup code" (or similar — label may vary).
- Backup codes are typically 8-character single-use codes (e.g. XK9P-2QM7). Enter one of yours. Backend validation uses POST /api/v1/auth/2fa/validate for supported 2FA methods in the current route.
- You're in. The backup code is consumed (single-use). Current setup generates 8 backup codes; consumed code is removed from the valid set.
- /settings → Security → 2FA → disable + re-enable with a new device → save fresh backup codes.
- At the 2FA prompt, click "Email me a code" (or similar).
- Backend: POST /api/v1/auth/2fa/email-otp. Email sent to your registered address with a one-time code (typically 6 digits, valid ~10 min).
- Type the code from email in the 2FA prompt.
- You're in. Re-enable 2FA on new device + save backup codes. Note: this option requires the workspace admin to have enabled 2fa.email_otp in workspace settings. If you don't see the email option: not enabled — use option 1 or 3.
- If neither backup codes nor email OTP are available, contact support. The team will guide you through identity verification and the recovery steps that apply to your account.
- Do not document a workspace-admin "Reset 2FA" button or route unless it exists in the current backend/frontend.
- /settings → Security → 2FA → enable on new device → save backup codes. Why this is last resort: Requires admin attention Brief security window where account has no 2FA Admin must verify your identity (avoid social engineering attacks)
Last updated: 2026-05-17