2FA — I lost my device

Three paths back in, in order of preference:

1. Use a backup code (fastest)

At the 2FA prompt, paste any one of the 8 backup codes OtiumWork showed you when you enabled 2FA. Each code works once. Format: ABCDE-FGHIJ.

If you kept the codes in a password manager or printed them: great, you're 30 seconds from logged in.

After you're back in: - Go to /me/security and regenerate a fresh set of backup codes - Set up TOTP on your new device while you're there

2. Ask your admin to reset 2FA

If you've used up all backup codes (or never saved them), email your company admin. They can clear your 2FA at /admin/employees → your row → Reset 2FA.

You'll then log in with just your password, and OtiumWork will walk you through fresh enrollment.

3. Platform-owner: SSH break-glass

For the platform-owner account (whoever's on OPS_ACCESS_EMAILS), neither path 1 nor 2 applies — the admin who'd reset 2FA is you. SSH to the VPS and:

cd /opt/timeopt
.venv/bin/python scripts/owner_emergency_unlock.py \
    --email <your-owner-email> --reset-2fa --confirm

Dry-runs without --confirm. After running, log in with your existing password. The owner-2FA enforcement middleware will immediately redirect you to /me/security to re-enroll.

Preventing the next time

• Save backup codes in 2 places: password manager + printed copy in a locked drawer.
• Enable TOTP on your password manager (1Password, Bitwarden, etc.) — that way "device loss" only happens if you lose your manager too.
• Tell at least one trusted person (co-founder, spouse) where the backup codes live.

Related

• Account recovery — the whole loss matrix
• Security and 2FA setup