If you lost the device generating your MFA codes (a phone with Authy/Google Authenticator, a YubiKey, a SoloKey), don't panic. Recovery has three tiers, and you only need one to work.
Tier 1 — Use a backup code
When you set up MFA, Zenovay generated 10 single-use backup codes. They look like xxxx-xxxx-xxxx. If you printed or stored them somewhere safe, this is the path of least resistance.
- On the sign-in page, enter your email + password as usual.
- When the MFA prompt appears, click Use a backup code instead.
- Enter one of the codes.
Each code works exactly once. After using one, sign in completely, then immediately generate a new MFA setup:
- Profile → Security → Two-factor authentication → Reset MFA.
- Set up a new authenticator (or YubiKey).
- Re-generate and re-print the new backup codes.
Tier 2 — Use a different registered factor
If you registered two factors (e.g. TOTP + WebAuthn passkey, recommended), the missing factor's prompt has a "Try a different method" link. Click it and use the surviving factor.
This is why we recommend always registering at least two factors. If you only registered one, skip to Tier 3.
Tier 3 — Verified email recovery
If both your factor and your backup codes are lost:
- On the sign-in page, click Forgot MFA? (below the MFA prompt).
- Enter your email. We'll send a recovery link to that address.
- Click the link from the email.
- Wait 72 hours. This delay is the safety net — it gives the real account owner time to cancel the recovery if it was triggered by an attacker.
- After 72 hours, the link works once: clicking it disables MFA on your account. You can then sign in with email + password and re-enrol.
The 72-hour delay is non-negotiable and applies regardless of plan tier. We log every step of the recovery for audit purposes.
What gets logged
Whichever tier you use:
- Backup-code use is logged in your audit trail with timestamp + IP-hash.
- Email recovery is logged with the request timestamp, the link issuance, and the eventual click.
- The 72-hour delay creates an entry in your team's audit log so admins are aware.
What about Enterprise SSO?
If you sign in via SAML/OIDC SSO (Enterprise plan), MFA is delegated to your identity provider (Okta, Entra ID, etc.). Recovery is done by your IT helpdesk via the IdP's own flow — Zenovay doesn't have direct involvement.
Preventing this next time
After recovering, take 5 minutes to harden:
- Register a second factor — TOTP + WebAuthn is the gold standard.
- Print fresh backup codes and store them physically (paper in a drawer, fire-safe envelope) and digitally (encrypted password manager note).
- Add an account recovery email (Profile → Security → Account recovery email) — it's separate from your sign-in email and gives you a fallback if you lose access to the primary email account.
Edge case: I can't access the recovery email either
If you've also lost access to the email address tied to the account, recovery requires identity verification. Email support@zenovay.com with:
- The domain of any website registered under the account.
- The approximate signup date.
- A scan/photo of government ID with the document number redacted (we only verify name match).
Verification takes 5-10 working days. We err strongly on the side of caution because impersonation attacks via "I lost everything" claims are common.
Plan applicability
All recovery tiers work on every plan. Tier 3 (email recovery) is rate-limited to 1 attempt per 7 days to prevent abuse.