Last updated 2026-05-28
Account recovery — what to do when you can't log in
Use the matrix below. Each row is independent — combine them as needed.
| What you lost | What to do |
|---|---|
| Password (still have email) | Click Forgot password? on /login. Set a fresh one via the email link. Link expires in 1 hour. |
| TOTP device (still have backup codes) | At the 2FA prompt, paste one of your backup codes instead of the 6-digit code. Each code works once. |
| TOTP device + backup codes | Email your company admin. They can disable 2FA on your account from /admin/employees → your row → Reset 2FA. You'll re-enroll on next login. |
| Email account (you can no longer receive mail) | Email your admin from any other channel (chat, phone). They can change your account's email at /admin/employees → your row → Edit. |
| Platform-owner account, lost everything | SSH to the VPS and run python scripts/owner_emergency_unlock.py --email <owner@…> --reset-2fa --reset-password --confirm. Dry-runs without --confirm. |
How backup codes work
When you enable 2FA at /me/security, OtiumWork generates 8 single-use recovery codes. They're shown once — print them or store them in your password manager. Each code lets you log in without your TOTP device. After 6 of the 8 are used, regenerate at /me/security.
Why platform-owner recovery needs SSH
The owner account has 3-factor sign-in (password + TOTP + emailed magic link) on top of 2FA enforcement. That's deliberate — but it also means there's no in-app "reset everything" button, because it would be the most valuable credential on the platform. SSH access to the VPS is treated as the root-of-trust; if you have that, you can run the break-glass script.
Related
See something wrong or outdated in this article? Report it →