Skip to main content

Lost your 2FA device

How to recover access using your backup codes.

You have your backup codes

At enrollment we showed you 10 single-use backup codes. If you saved them:

  1. Sign in with your username + password as usual.
  2. At the TOTP prompt, click "Use a backup code instead."
  3. Enter one of your unused codes.
  4. You're in. The code is now consumed; the other 9 still work.

You don't have your backup codes

This is the harder case. Email support@volatility.farm from the email address associated with the account. Include:

  • Your username.
  • Approximate date you opened the account.
  • The Kraken sub-account (last 4 of the API key if you remember it — we'll use this to verify identity).

We'll respond with our identity-verification process. This is necessarily slow — we'd rather deny a legitimate request than hand an attacker your account. Expect 24–48 hours.

Once verified, we can:

  • Disable TOTP on your account so you can sign in with password only.
  • Walk you through re-enrolling with a new device.

Once you're back in: regenerate everything

  1. Re-enroll TOTP at /me/totp/enroll.
  2. Regenerate backup codes from the security section of /me.
  3. Save the new backup codes (the old ones are invalidated by regenerate).
  4. Change your password if you suspect the lost device was compromised.

Future-proofing

  • Use a password manager that syncs across devices (1Password, Bitwarden) — your TOTP secrets live there too, so a lost phone is recoverable from any other signed-in device.
  • Save backup codes in two places (e.g. password manager + a printed copy in a safe).
  • Don't store backup codes on the same device as your authenticator.