Forget authentication and backup codes

From a technical level, I can disable two factor authentication. Remember: I wrote the client area code and have administrative access to the servers running it. So I can change whatever I want whenever I want it.

However, I won’t disable two factor authentication on any account by request.

The point of two factor authentication is that (drumroll please) you have two factors of authentication. The email address / password combination is one, and the two factor device / recovery codes are the second one.

If we would just disable the second factor in response to an email, the security benefit of that second factor would be completely nullified. We would be betraying the trust of our security conscious users by bypassing two factor authentication in that way.

So it’s your responsibility to backup the recovery codes. The method to do that is up to you, just make sure they are stored safely to make sure that you and only you can access it.

If you lose both your recovery codes and your 2FA device, you lose access to your account. Just like how you lose access to your account if you lose both your password and access to your email address.

If you want to read a tale about what happens when support staff bypasses critical security checks, just read what happened to the owner of the Twitter handle “@N”. I have no desire to get a similar story about InfinityFree.