TaxItEasyTaxItEasy
Sign in Get started — free
Browse the knowledge base

How do I use 2FA recovery codes?

all Updated Thu May 21 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

On the 2FA prompt, click Use a recovery code instead, enter one of the 8 codes you saved when enabling 2FA. Each code works once. After signing in, immediately disable + re-enable 2FA on your new device, or generate fresh recovery codes from Settings. If all codes are used and you can't access the authenticator, [email protected] resets 2FA after identity verification (1–3 working days).

When you need a recovery code

You enabled 2FA. Now you can't generate the 6-digit code. The common causes:

  • Phone lost, stolen, broken, or factory-reset.
  • Reinstalled your authenticator app without backing it up first (Google Authenticator without iCloud sync, for example).
  • Got a new phone, didn't migrate the 2FA setup.
  • Authenticator app deleted by accident.
  • Phone in for repair / not with you on a critical day.

In all these cases, your recovery codes are your way back in — without needing to contact support. The codes are designed for exactly this scenario.

For the broader sign-in-troubleshooting context (password reset, brute-force lockout, etc.), see I can't sign in or password reset. For the 2FA setup that produced the codes, see enable 2FA.

The walk-through — use a recovery code

Step 1 — sign in normally up to the 2FA prompt

Go to the login page, enter your email and password. You'd normally then see the 6-digit code prompt.

Step 2 — switch to the recovery-code path

On the 2FA prompt screen, click Use a recovery code instead (the link is below the 6-digit input field). The form switches to a longer text field for the recovery code.

Step 3 — enter a recovery code

Type or paste one of the 8 codes you saved when enabling 2FA. Each code is 8–12 alphanumeric characters; capitalisation doesn't matter (we normalise to lowercase). The codes don't expire individually — they're valid until used, even years later.

If you have a list of 8 codes saved, just use any one. We don't track which order you saved them in; the system accepts any unused code from the set.

Step 4 — you're in

You land on the Dashboard. The recovery code you used is permanently consumed — it can't be used again. The next time you sign in, you can either use a fresh 6-digit code (if you've re-paired the authenticator), another recovery code, or your new authenticator setup.

Step 5 — immediately re-secure your account

This is the step people skip and regret. Do it right after signing in:

  • Open Settings → Account → Two-Factor Authentication.
  • Disable + re-enable 2FA on your new device — the old pairing is invalidated, and you get fresh recovery codes for the new setup.
  • OR if you regained access to your old authenticator (e.g. phone was just temporarily missing): click Generate new recovery codes to replace the set you've started consuming.

Why re-secure: if you lost the phone, anyone who has it could in theory still have the TOTP secret. Re-enabling 2FA on a new device generates a fresh secret; the old one is no longer accepted.

How many recovery codes you started with

When you enabled 2FA, you got 8 recovery codes. They were shown to you once, on the post-setup screen, with a strong "save these somewhere safe" warning. The codes are 8–12 alphanumeric characters each — easy enough to type without errors but long enough to resist guessing.

If you saved them: they're in whatever location you put them (password manager, encrypted note, printed paper). Find them, use one.

If you didn't save them: you cannot retrieve them later. The codes are stored hashed in our database — we can't read them either, by design. This is the same principle as password hashing; we know what the hash of a correct code would be, but we can't reverse the hash to recover the codes themselves.

Your options if you didn't save them and can't access your authenticator:

  1. Try every authenticator app you might have used. Some users have multiple apps; the TOTP secret might be in one you've forgotten about. Check Google Authenticator, 1Password, Authy, Microsoft Authenticator, iCloud Keychain.
  2. Check old phones, password managers, paper backups. The codes might be in a place you haven't looked.
  3. If nothing works: write to [email protected] from the email address on the account. We'll verify your identity (account creation date, billing details, recent activity, last-uploaded document, etc.) and reset 2FA on our side. SLA: typically 1–3 working days.

There is no automated bypass — the identity-verification step is manual on our side because automated 2FA-reset is the most common phishing pivot. We'd rather make legitimate users wait a few days than make it trivial for an attacker to take over an account.

Where to keep recovery codes

Pick one (preferably several) of:

  • Password manager (1Password, Bitwarden, KeePass, iCloud Keychain) — same vault as your TaxItEasy password. This is the most-recommended option; it's where you'll look first when you need them.
  • Printed on paper in a safe / safety-deposit box / sealed envelope in a drawer. Old-school but works; useful for disaster scenarios where your devices are inaccessible.
  • Encrypted note on a device you trust and back up regularly. Apple Notes' lock-with-passcode feature, Notion's lock function, an encrypted DMG, a GPG-encrypted text file.
  • Family member's safekeeping for genuine emergencies. Only if you trust them with what's effectively a backup key to your tax data.

What not to do:

  • Email them to yourself unencrypted (defeats the point — anyone who reads your inbox can sign in).
  • Screenshot them in your phone's Photos app (often syncs to cloud, often shared accidentally in screenshot albums).
  • Write them in a sticky note on the monitor (physical access compromise).
  • Save them in a plaintext file with a name like "taxiteasy 2fa.txt" (any malware running on your machine will find it).

Generating fresh recovery codes

Settings → Account → Two-Factor Authentication → Generate new recovery codes.

Generating new codes invalidates the old set in the same transaction. The old codes stop working immediately; you cannot fall back to them. Always store the new set safely before walking away from the screen.

When to regenerate:

  • After using one or more codes (you've now got fewer "spare lives"; topping back up to 8 is good practice).
  • If you suspect your old codes were exposed (e.g. accidentally posted to a public location, found in an old shared drive).
  • After re-setting up 2FA on a new device — new device + new authenticator + new recovery codes = a clean restart.

Edge cases

I used a code and it didn't work. Either you've already used it, or the input has trailing whitespace, or you've mistyped. Try the next code in your list. Each code is 8–12 alphanumeric; capitalisation doesn't matter. Whitespace around the input is automatically stripped, but inside-the-code typos won't work — re-check carefully.

All my recovery codes are used + I lost my authenticator. Write to [email protected] from the email address on the account. We reset 2FA after identity verification (1–3 working days). Include in the email: the account email, the approximate signup date, the most recent payment receipt number (if you have one), and the last invoice or document you remember uploading. The more verification signals you provide, the faster the verification.

Can I have unlimited recovery codes? No — the count is fixed at 8 per generation. When you run low (say, you've used 3 and have 5 left), regenerate to refresh the full set. The 8-count balances "enough cushion for multiple emergencies" against "small enough to write down on one sheet of paper".

Are recovery codes the same as 2FA backup-via-SMS? No, we don't do SMS-based 2FA. SMS is vulnerable to SIM-swap attacks and is being deprecated as a 2FA method industry-wide for sensitive accounts. Recovery codes are the only backup path. They're stronger than SMS because they're not tied to a phone number that can be socially-engineered away from you.

Recovery codes look short — are they secure? 8–12 alphanumeric characters at ~62 possible characters per position = roughly 62^10 ≈ 8.4 × 10^17 possibilities for a 10-character code. With per-account rate limiting (max 5 attempts per 15 minutes), guessing one would take longer than the age of the universe. The codes are stored hashed, so a database breach doesn't directly expose them.

Can I use someone else's recovery code on my account? No — codes are tied to your account's hash. A code from a different account simply doesn't match anything and is rejected. The codes aren't transferable.

My phone was stolen and I'm worried the thief has my codes too. If your codes were in your phone's authenticator app or notes app, treat them as compromised. Sign in via recovery code, immediately regenerate recovery codes and re-enable 2FA on a new device. If the thief gets to the codes faster than you, they could in theory sign in once — which is why you should also change your password and run a session-revoke (Settings → Account → Active sessions → Revoke all).

Can a tax advisor use recovery codes for their own access to my account? Tax advisors have their own accounts with their own 2FA setup; your recovery codes don't apply to them. Your account's recovery codes are only for you getting back into your account. The advisor flow is separate; see invite your tax advisor.

Related

Didn't answer your question? Write to [email protected] · the AI chat in the bottom-right corner answers most common questions.