How do recovery codes work?
Short answer
Recovery codes are one-time backup credentials shown once; you store them safely and use one if you lose your passkey device.
Last reviewed: 2026-02-20
account
recovery-codes
passkeys
Recovery codes are one-time backup credentials shown once; you store them safely and use one if you lose your passkey device.
Why this matters
Passkeys are strong, but device loss happens. Recovery codes prevent permanent account lockout.
Safe default steps
- Save recovery codes immediately after account setup.
- Store them offline in a secure location.
- Mark used codes and rotate if needed.
Common mistakes
- Taking screenshots that sync to cloud photo backups.
- Storing codes in plaintext in everyday note apps.
- Sharing codes over chat.
Limits
Recovery codes are backup access, not full account security. Treat them like high-value secrets.
Related
Next safe step: scrub a PDF locally and review threat model limits.