Skip to main content
Zenovay
Free8 minutesIntermediate

I lost my MFA device — how do I recover my account?

Lost the phone with your authenticator app? Here's how to get back in with a backup code, and what to do if those are gone too.

mfarecoveryaccount-securitytroubleshooting
Last updated:

If you lost the device generating your two-factor codes (a phone with Authy, Google Authenticator, or any TOTP app), don't panic. You have two ways back in: a backup code, or a verified support recovery if those are gone too.

Option 1 — Use a backup code

When you set up two-factor authentication, Zenovay generated 10 single-use backup codes. They look like xxxx-xxxx-xxxx. If you printed or stored them somewhere safe, this is the fastest route.

  1. On the sign-in page, enter your email and password as usual.
  2. When the two-factor prompt appears, click Lost access to your authenticator? Use a backup code.
  3. Enter one of your codes and continue.

Each code works exactly once, so you're now low on codes. The next step depends on whether you still have a working authenticator app:

If you still have your authenticator app (for example, you only misplaced your printed backup codes), rotate your two-factor setup so you have a fresh batch of codes:

  1. Go to Profile → Security.
  2. On the Two-factor authentication card, click Disable and confirm with a current 6-digit code from your authenticator app.
  3. Set it up again with your authenticator. Re-enrolling generates a fresh set of 10 backup codes — save those in a new safe place.

If your authenticator app is gone for good but you still have at least one backup code, you can recover on your own — you don't need support:

  1. Go to Profile → Security.
  2. On the Two-factor authentication card, click Disable.
  3. In the confirmation dialog, choose Use a backup code (instead of entering an authenticator code) and enter one of your remaining codes.
  4. Once two-factor is off, set it up again with a new authenticator. Re-enrolling issues a fresh set of 10 backup codes.

Only if both your authenticator and all your backup codes are gone do you need to contact support (Option 2 below).

Info

Disabling two-factor authentication automatically invalidates your old backup codes. The new set issued during re-enrollment replaces them entirely.

Option 2 — Recover via Zenovay support

If both your authenticator and your backup codes are gone, recovery requires identity verification by the Zenovay team. Email [email protected] with:

  • The email address tied to the account.
  • The domain of any website registered under the account.
  • The approximate signup date.

We err strongly on the side of caution because impersonation attempts ("I lost everything") are common, so verification can take a few working days. Once we confirm you're the account owner, we'll remove two-factor authentication from your account so you can sign in with your email and password and re-enroll.

Warning

There is no self-service "reset MFA by email" link on the sign-in page. If you can't find one, that's expected — backup codes are the self-service path, and support handles everything else.

A note on backup codes

Each backup code is single-use: once you sign in with one, it's permanently consumed and the count of codes you have left goes down. When you're running low, re-enroll your authenticator to issue a fresh set of 10. That's why we recommend rotating as soon as you've recovered access, rather than burning through codes one at a time.

What about Enterprise SSO?

If your workspace signs in via SAML or OIDC single sign-on (available on Scale and Enterprise plans), two-factor authentication is handled by your identity provider (Okta, Microsoft Entra ID, and similar), not by Zenovay. Recovery is done through your own IT helpdesk and your IdP's recovery flow — Zenovay isn't involved in that step.

Preventing this next time

After recovering, take five minutes to harden your account:

  1. Print fresh backup codes and store them physically (paper in a drawer or a fire-safe envelope) and digitally (an encrypted password-manager note).
  2. Add a passkey under Settings → Account → Security & access → Passkeys. A passkey lets you sign in without a password, and it's tied to your device's biometrics or hardware key — a strong, phishing-resistant credential to fall back on.
  3. Keep your account email current under Settings → Account → Profile, since support recovery and password resets both depend on it.

Plan applicability

Backup codes and support-assisted recovery work on every plan. SAML/OIDC SSO (where MFA is delegated to your identity provider) is available on the Scale and Enterprise plans.

Related articles

  1. MFA Recovery

    Recover access to your account when you've lost your multi-factor authentication device. Learn about mfa in this troubleshooting guide.

  2. Session Replay Issues

    Session Replay Issues: Troubleshoot problems with session recordings not capturing or playing back. Explore this troubleshooting guide for details.

  3. Lost MFA Device: How to Recover Your Account

    Recover your Zenovay account when you've lost your MFA device - step-by-step backup-codes flow, what to do if you've also lost the codes, and how to escalate to support.

Was this article helpful?