Recovery
If a user loses access to all their passkey devices, they can regain access using recovery codes.
Recovery codes
Recovery codes are one-time-use alphanumeric codes generated by the user. Each set contains 10 codes. The codes are stored in the TYPO3 database as bcrypt hashes -- the plaintext is shown only once at generation time.
Generating recovery codes
- Navigate to the passkey management page.
- Click Generate recovery codes.
- The codes are shown once. Save them in a secure location.
- Click I have saved my recovery codes to confirm.
Warning
Recovery codes are shown exactly once. If you lose them, you must generate a new set, which invalidates the previous set.
Using a recovery code
- Visit the login page.
- Click Use a recovery code (on the passkey login form or felogin integration).
- Enter your username and one recovery code.
- You are logged in.
- The used code is marked as consumed and cannot be used again.
After using a recovery code, enroll a new passkey immediately to restore full passkey-first authentication.
Code lifecycle
- Each code can be used exactly once.
- Generating a new set invalidates all previous codes.
- Codes do not expire (but are invalidated on new set generation).
- Used codes are stored as consumed (not deleted) for audit purposes.
See adr-003 for the design decision on the triple recovery mechanism.