2FAApp Local-first security tools
Use tools

Define how admins recover users without weakening account security.

Admin Recovery Flow

Create an administrator recovery process with identity checks, approval logs, reset boundaries, and abuse prevention.

Admin recovery is a security control, not an ad-hoc favor.
Each reset should have identity proof, approval, logging, and a clear end state.
If administrators can bypass the policy too easily, the recovery path becomes the weakest path in the system.

Identity checks

Require evidence that matches the risk level of the account: verified email, known device, manager approval, direct call-back, or an internal identity workflow. The exact checks should be documented before an incident happens.

Approval boundaries

Decide who may approve a reset, whether two-person approval is required, and which accounts are off-limits without executive or security review.

Post-reset cleanup

After a reset, revoke old sessions, require the user to enroll a new factor, and record the reason, approver, and time in a durable audit log.

Implementation checklist

  • Create a written runbook for resets.
  • Limit the number of people who can execute emergency recovery.
  • Audit every reset and review the log on a schedule.

Policy cautions

  • A recovery flow that skips identity proof can become an account-takeover path.
  • Do not let support staff improvise when a recovery runbook should already exist.

Related pages

Lost Authenticator App Recovery Work through backup codes, old devices, logged-in sessions, administrator help, and official recovery forms. MFA Audit Log Checklist Define useful MFA audit events, retention guidance, export fields, and review habits for security operations.

Related questions

What should I do if I lost my phone with 2FA enabled? Use backup codes if you have them, check whether any device is still logged in, start the platform's official recovery process, and protect your phone number and email from takeover.