ItemTrack

Help center Account & security Recovery codes

Recovery codes

When you turn on 2FA, we generate 10 one-time recovery codes. Each one looks like xxxxx-xxxxx-xxxxx, can be used exactly once, and gets you past 2FA without your authenticator.

What they're for

Lost your phone. Phone is dead. Phone is in another room and you need to log in now. New phone, didn't migrate the authenticator app. All the cases where 2FA blocks your normal sign-in.

How they work

  1. Sign in normally with your password.
  2. On the 2FA prompt, click Use a recovery code.
  3. Enter one of your 10 codes.
  4. We mark it as used and let you in.

That code is now spent. You have 9 left.

Where to store them

The whole point of recovery codes is to be available when 2FA is not available. So:

  • ✓ A password manager (1Password, Bitwarden) — they're encrypted there, available on every device.
  • ✓ Printed on a sheet of paper, in a drawer or safe.
  • ✓ A text file backed up offline (USB stick).
  • ✗ Inside ItemTrack itself — useless if you can't get in.
  • ✗ Email to yourself — works in theory, but phishable, and may not be available if your email is also locked out.
  • ✗ Cloud notes that need 2FA — circular dependency.

A common pattern: write them on a small piece of paper, fold in half, store in your wallet. They look like nonsense to anyone who finds the paper, and you have them everywhere you go.

Generating a new set

Go to your profile page → Two-factor authentication → Regenerate recovery codes. We invalidate all existing codes and show 10 new ones.

Generate new codes if:
- You used a code or two and want a fresh batch.
- You suspect someone else has access to your stored codes.
- You moved your storage location and want a clean slate.

Used codes

Used codes are marked spent and stored. You can see how many you have left on your profile page.

If all 10 are used and you haven't regenerated, the next time you lose 2FA access, you're stuck on the emergency reset path.

Security model

Recovery codes are bcrypt-hashed in our database — we can verify a code attempt but we can't reconstruct the codes ourselves. If our database were stolen, the attacker can't read your codes from it.

Each code has ~50 bits of entropy. Brute-forcing requires ~10^15 attempts on average, well outside practical attack scope at our login rate-limit (5 attempts per minute, then exponential backoff).

← Back to Account & security