Browse the knowledge base

How do I use 2FA recovery codes?

On the 2FA prompt, switch to the backup-code option and enter one of the 10 codes you saved when enabling 2FA. Each code works once. After signing in, immediately disable + re-enable 2FA on your new device, or generate fresh backup codes from Settings. If all codes are used and you can't access the authenticator, [email protected] resets 2FA after identity verification (1–3 working days).

When you need a recovery code

You enabled 2FA. Now you can't generate the 6-digit code. The common causes:

  • Phone lost, stolen, broken, or factory-reset.
  • Reinstalled your authenticator app without backing it up first (Google Authenticator without iCloud sync, for example).
  • Got a new phone, didn't migrate the 2FA setup.
  • Authenticator app deleted by accident.
  • Phone in for repair / not with you on a critical day.

In all these cases, your recovery codes are your way back in — without needing to contact support. The codes are designed for exactly this scenario.

For the broader sign-in-troubleshooting context (password reset, brute-force lockout, etc.), see I can't sign in or password reset. For the 2FA setup that produced the codes, see enable 2FA.

The walk-through — use a recovery code

Step 1 — sign in normally up to the 2FA prompt

Go to the login page, enter your email and password. You'd normally then see the 6-digit code prompt.

Step 2 — switch to the backup-code path

On the 2FA prompt screen, switch to the backup-code option (below the 6-digit input field). The form switches to a longer text field for the backup code.

Step 3 — enter a backup code

Type or paste one of the 10 codes you saved when enabling 2FA. Each code is 10 characters (letters and digits). The codes don't expire individually — they're valid until used, even years later.

If you have a list of 10 codes saved, just use any one. The order doesn't matter; the system accepts any unused code from the set.

Step 4 — you're in

You land on the Dashboard. The backup code you used is permanently consumed — it can't be used again. The next time you sign in, you can either use a fresh 6-digit code (if you've re-paired the authenticator), another backup code, or your new authenticator setup.

Step 5 — immediately re-secure your account

This is the step people skip and regret. Do it right after signing in:

  • Open Settings → Security → Two-Factor Authentication.
  • Disable + re-enable 2FA on your new device — the old pairing is invalidated, and you get fresh backup codes for the new setup.
  • OR if you regained access to your old authenticator (e.g. phone was just temporarily missing): regenerate your backup codes to replace the set you've started consuming.

Why re-secure: if you lost the phone, anyone who has it could in theory still have the TOTP secret. Re-enabling 2FA on a new device generates a fresh secret; the old one is no longer accepted.

How many backup codes you started with

When you enabled 2FA, you got 10 backup codes. They were shown to you once, on the post-setup screen, with a strong "save these somewhere safe" warning. The codes are 10 characters each (letters and digits, with easily-confused characters like 0/O and 1/I left out) — easy enough to type without errors but long enough to resist guessing.

If you saved them: they're in whatever location you put them (password manager, encrypted note, printed paper). Find them, use one.

If you didn't save them: you cannot retrieve them later. The codes are stored hashed in our database — we can't read them either, by design. This is the same principle as password hashing; we know what the hash of a correct code would be, but we can't reverse the hash to recover the codes themselves.

Your options if you didn't save them and can't access your authenticator:

  1. Try every authenticator app you might have used. Some users have multiple apps; the TOTP secret might be in one you've forgotten about. Check Google Authenticator, 1Password, Authy, Microsoft Authenticator, iCloud Keychain.
  2. Check old phones, password managers, paper backups. The codes might be in a place you haven't looked.
  3. If nothing works: write to [email protected] from the email address on the account. We'll verify your identity (account creation date, billing details, recent activity, last-uploaded document, etc.) and reset 2FA on our side. SLA: typically 1–3 working days.

There is no automated bypass — the identity-verification step is manual on our side because automated 2FA-reset is the most common phishing pivot. We'd rather make legitimate users wait a few days than make it trivial for an attacker to take over an account.

Where to keep recovery codes

Pick one (preferably several) of:

  • Password manager (1Password, Bitwarden, KeePass, iCloud Keychain) — same vault as your TaxItEasy password. This is the most-recommended option; it's where you'll look first when you need them.
  • Printed on paper in a safe / safety-deposit box / sealed envelope in a drawer. Old-school but works; useful for disaster scenarios where your devices are inaccessible.
  • Encrypted note on a device you trust and back up regularly. Apple Notes' lock-with-passcode feature, Notion's lock function, an encrypted DMG, a GPG-encrypted text file.
  • Family member's safekeeping for genuine emergencies. Only if you trust them with what's effectively a backup key to your tax data.

What not to do:

  • Email them to yourself unencrypted (defeats the point — anyone who reads your inbox can sign in).
  • Screenshot them in your phone's Photos app (often syncs to cloud, often shared accidentally in screenshot albums).
  • Write them in a sticky note on the monitor (physical access compromise).
  • Save them in a plaintext file with a name like "taxiteasy 2fa.txt" (any malware running on your machine will find it).

Generating fresh backup codes

Settings → Security → Two-Factor Authentication → regenerate backup codes.

Generating new codes invalidates the old set at the same moment. The old codes stop working immediately; you cannot fall back to them. Always store the new set safely before walking away from the screen.

When to regenerate:

  • After using one or more codes (you've now got fewer "spare lives"; topping back up to 10 is good practice).
  • If you suspect your old codes were exposed (e.g. accidentally posted to a public location, found in an old shared drive).
  • After re-setting up 2FA on a new device — new device + new authenticator + new backup codes = a clean restart.

Edge cases

I used a code and it didn't work. Either you've already used it, or you've mistyped (watch for look-alike characters). Try the next code in your list, typed carefully.

All my backup codes are used + I lost my authenticator. Write to [email protected] from the email address on the account. We reset 2FA after identity verification (1–3 working days). Include in the email: the account email, the approximate signup date, the most recent payment receipt number (if you have one), and the last invoice or document you remember uploading. The more verification signals you provide, the faster the verification.

Can I have unlimited backup codes? No — the count is fixed at 10 per generation. When you run low (say, you've used 3 and have 7 left), regenerate to refresh the full set. The count balances "enough cushion for multiple emergencies" against "small enough to write down on one sheet of paper".

Are backup codes the same as 2FA backup-via-SMS? No, we don't do SMS-based 2FA. SMS is vulnerable to SIM-swap attacks and is being deprecated as a 2FA method industry-wide for sensitive accounts. Backup codes are the only backup path. They're stronger than SMS because they're not tied to a phone number that can be socially-engineered away from you.

Backup codes look short — are they secure? 10 characters from a 32-character alphabet is on the order of 10^15 possibilities — and login attempts are rate-limited with an account lockout on repeated failures, so guessing one is not a realistic attack. The codes are stored hashed, so a database breach doesn't directly expose them.

Can I use someone else's backup code on my account? No — codes are tied to your account. A code from a different account simply doesn't match anything and is rejected. The codes aren't transferable.

My phone was stolen and I'm worried the thief has my codes too. If your codes were in your phone's authenticator app or notes app, treat them as compromised. Sign in via backup code, immediately regenerate the codes and re-enable 2FA on a new device. If the thief gets to the codes faster than you, they could in theory sign in once — which is why you should also change your password and review your active sessions under Settings → Security.

Can a tax advisor use backup codes for their own access to my account? Tax advisors have their own accounts with their own 2FA setup; your backup codes don't apply to them. Your account's backup codes are only for you getting back into your account. The advisor flow is separate; see invite your tax advisor.

Related

Didn't answer your question? Write to [email protected] · the AI chat in the bottom-right corner answers most common questions.