Recovery codes are your backup if you lose access to every enrolled passkey. They are single-use, 26-character codes generated automatically the first time you enroll a passkey on your account. Each account gets 10 codes.
When they are generated
- Once, automatically, when you enroll your first passkey
- The plaintext is shown to you exactly once. After that we only store a SHA-256 hash, so we cannot show them to you again.
- You can regenerate a fresh batch of 10 from the Security page on the web at any time. Regenerating invalidates every previous code.
How to use them
- On the Security page, click "Use a recovery code" and enter one
- On success, all of your existing passkeys are invalidated and the code is consumed
- You are signed in temporarily and required to enroll a new passkey before you can do anything else
- The remaining codes still work, but you are down by one
Where to store them
- A password manager like 1Password, Bitwarden, or Apple Passwords is the most convenient option
- Printed and locked in a safe is fine too
- Do not save them in plain-text files or screenshots on the same device as your passkey. If you lose that device you lose both at once.
If you run out of recovery codes and have lost access to every passkey, contact support@oakallow.io from the email on your account and we will verify ownership and reset your passkey requirement.