I had enabled 2FA on my InfinityFree account using Google Authenticator.
Unfortunately, I deleted the app and also lost my recovery codes.
Now I cannot log in to my account.
My InfinityFree account email: REMOVED
Please help me disable 2FA or recover access to my account.
Thank you.
sensitive detail exposed
Like I wrote in response to your email:
I’m sorry, but we cannot help you with this.
If you have setup two-factor authentication on your members area profile, you will need a 6 digit code to login to your account in addition to the password. Those codes can be generated by an authenticator app of your choice, like Authy or Google Authenticator. We recommend using an app that has cloud backup or synchronization features so the loss of a device will not result in the loss of your 2FA code generator.
Should you lose your authenticator app, we provide recovery codes you can use instead when setting up two-factor authentication. We recommend you store these recovery codes safely, meaning in a place where you can always access them but nobody else can. Password managers are usually a good option for this.
If you lose both your authenticator app and recovery codes, then you will not be able to login to your account.
There are no other recovery options. We do not have any way to reliably and safely authenticate you as the account owner. We do not consider email to be secure enough (because email is already part of the first factor of authentication), and we do not have any other information for you we can use to authenticate you.
Because of that, we cannot disable two-factor authentication when requested through email.
The security of the websites we host is of the utmost importance to us. Because of that, we can only give people access if we are absolutely sure that we are dealing with the account owner. If we do not have this absolute certainty, we cannot provide any assistance.
Do you have your 2FA code backed up by a Google account? To my knowledge, if you chose to turn on Google Account backup, you can log into the same Google Account to get the code back with the Google Authenticator app.
If not, then I have no other good news to share. Sorry to hear your account is locked out, but there is no other way to grant access.
Hello Admin,
Thank you for your response.
I understand that 2FA cannot be disabled without authentication through the authenticator app or recovery codes. However, I kindly request you to verify my ownership through my registered email address, if possible.
If email verification is not acceptable according to your policy, then please permanently delete my hosting account associated with this email: REMOVED
I would like to use the same email address to create a new InfinityFree hosting account later.
Thank you for your understanding and assistance.
No, I don’t have any backup. I accidentally uninstalled my Google Authenticator app, and it didn’t have cloud backup enabled. I also lost the recovery codes that I received from InfinityFree.
Please re-read this section:
Since we’re unable to verify you, we can’t delete accounts as well.
Again, I already responded to your email confirming that, as I wrote in my first message: “there is nothing we can do to help you” really means that there is nothing we can do to help you.
You enabled 2FA on your account to provide an additional layer of security in addition to your email address and password. As with any security measure ever: while it makes it harder for an attacker to break in, it also increases the risk of locking yourself out.
Using email to bypass 2FA undermines the security of the whole system, because now an attacker who has access to your email account is able to impersonate you and gain access to your client area profile, which would not have been possible otherwise.
Hello Admin,
Thank you for your previous replies.
I have lost access to my Google Authenticator (I accidentally uninstalled the app) and I no longer have the recovery codes. Because of that I cannot access my account.
Please, I kindly ask you to do one of the following:
If you need to verify anything with me first, you may inquire about any information you consider necessary. For example, you can tell me how many hosting accounts are currently registered with this email and what their subdomains are — I will respond and cooperate with any reasonable verification steps.
Please let me know what you can do and confirm when the requested action is completed.
Thank you for your time and assistance.
Was this not clear enough to you?
Without an unused backup code there is nothing that can be done. Admin can not restore access to your account, or delete your account for you. I understand this is a frustrating situation, but asking for the same thing multiple times will not change the outcome.
If you have the FTP credentials for your individual hosting account(s) you can back them up so you at least still have their files. Your old client area account can not be restored.
This is the fifth time and last time I’m telling you this: I cannot help you.
Unless the information you can share happens to include an unused backup code, I cannot help you.
Is that not clear yet to you? Or are you hoping that by just asking the same question over and over again, you’ll get an answer you’ll like eventually?
The security of accounts hosted with us is very important to us. We do not want to run the risk of giving a third party access to your account through a social engineering attack. And so giving access to accounts based on the knowledge of some circumstantial data regarding the account is nowhere near sufficient proof of ownership of the account, there are many ways in which you might know such facts without ever having had access to the profile.
This is our policy. You can argue its merits, but that does not entitle you to an exception.
Also, I would like to remind you that this is a public forum, and anything you share here is visible for the world to see.
Most people don’t want to share their email address publicly. For that reason, I have removed your email address from every post you’ve shared here so far. I’m not going to do that again. If you don’t care to keep your email address private, then you go ahead and share it again.
And to be very clear: nobody here needs to know your email address. I can find it from the email, and nobody else here can actually do anything with it. It doesn’t help your case that we should do anything, and it doesn’t help us do anything if we wanted to.