Account recovery
If you can't sign in to your account, work down this list in order. Stop as soon as one works.
I forgot my password
Use the Forgot password link on the login page. We send a reset email to your registered email address. Click the link, set a new password.
If you don't receive the email:
- Check spam folder.
- Wait 5 minutes — outbound email can be slow.
- Make sure your email account is still active.
- If your registered email itself is broken, see I lost access to my registered email.
I have my password but 2FA blocks me
If you have recovery codes, click Use a recovery code on the 2FA prompt. Enter one. You're in. Generate new recovery codes immediately and re-set up 2FA on your new phone if needed.
If you've used all 10 recovery codes, see I lost MFA below.
I lost my MFA device AND my recovery codes
This is the painful case.
There's no self-service way out. Reasons: if there were, an attacker who phished your password could use it. The only paths:
- If you have SSH access to the server (you're hosting your own ItemTrack instance), run the emergency password reset script which can also disable 2FA in the same call.
- If you don't have SSH access (you're a regular customer on the hosted version), email support. We'll verify your identity through other channels — usually a video call confirming you're you, plus answering a couple of your stored security questions — and then run the emergency reset on your behalf. This typically takes 1–3 business days.
I lost access to my registered email
Same path as "lost MFA without recovery codes". Email support and we'll verify identity manually.
My account is locked from too many failed logins
After 5 wrong password attempts within 5 minutes, the account is locked for 30 minutes. Wait it out and try again. Or use Forgot password to bypass the lockout (a successful reset clears the failed-login counter).
If the lockout is from someone trying to brute-force you (common if your email was in a public breach), turn on 2FA the moment you get back in.
Using the emergency reset script
(For self-hosted instances or admin support paths only.)
The repository ships with public/admin-reset-password.php. Run from CLI:
php public/admin-reset-password.php \
--email=you@example.com \
--password='NewStrongPassword!' \
--disable-mfa --unlock
Flags:
- --disable-mfa — clear 2FA settings so you can re-enroll on a new device.
- --promote-superadmin — set role to platform_admin (rarely needed).
- --unlock — clear the failed-login counter and any active lockout.
Or via web at /admin-reset-password.php?key=<MIGRATION_SECRET> if you have the secret.
Important: delete the file from production after use, OR rotate MIGRATION_SECRET. The script is dangerous left in place.
Identity verification for support
When we verify identity on a recovery request, we ask for some combination of:
- A photo of your government ID with a hand-written note ("ItemTrack recovery YYYY-MM-DD") on the page next to it.
- A live video call where you read the same note out loud.
- Confirmation from another verified email or phone we have on file.
- Knowledge of recent activity (last items created, approximate dates, etc.).
We don't accept just one of these. We accept some combination of two or three, depending on what's on file.
How to avoid all this
- Turn on 2FA as soon as you sign up.
- Save your recovery codes outside the app.
- Use a password manager.
- Make sure your registered email is one you'll actually have access to in 2 years.