Browser-only 2FA tool

2FA Recovery Checklist

Build a practical recovery plan for lost phones, missing backup codes, SMS fallback, and hardware keys without entering account names or secrets.

Check password strengthGenerate a passphraseBreach response checklistSecure note templatePasskey readiness checklistEmergency access checklistPasslock for Mac2FA FAQ

Recovery risk

84/100

Critical risk. The checklist is sorted by what reduces lockout risk fastest.

Risk

84/100

Critical

SMS

Some accounts

Fallback exposure

Keys

No keys

Spare access

Recovery plan

Copy this plan into a private vault or export it as a local text file. It intentionally contains no account names or recovery secrets.

2FA recovery plan

Risk score: 84/100 (Critical)
Critical accounts: 10
Authenticator app: One device
Backup codes: Saved somewhere
Hardware keys: No keys
Phone/SMS reliance: Some accounts
Password manager status: Partial

Prioritized checklist:
1. [Do now] Rank the first 5 critical accounts - Put email and identity-provider accounts first, then financial, work, developer, social, and cloud storage accounts.
2. [Next] Add two hardware keys where supported - Enroll one daily key and one spare key for the accounts that guard everything else.
3. [Next] Verify authenticator recovery - Confirm whether your authenticator syncs, exports, or requires old-device transfer. Record the answer in your recovery notes.
4. [Next] Refresh stale backup codes - Regenerate codes for important accounts and replace old copies in your storage location.
5. [Next] Audit SMS fallback - Open security settings for critical accounts and remove text-message fallback where stronger options exist.
6. [Next] Fill password manager recovery gaps - Add recovery notes to every critical account entry without storing raw backup codes in shared or synced places you do not trust.
7. [Keep healthy] Keep one offline recovery copy - Store a printed or sealed copy of the recovery map somewhere physically separate from your main devices.
8. [Keep healthy] Run a recovery drill twice a year - Pick one account and confirm that backup codes, hardware keys, and authenticator recovery instructions still work.
9. [Keep healthy] Remove old factors and devices - After adding stronger recovery paths, remove old phones, unknown devices, and unused app passwords.

Do not store account names, passwords, backup codes, or recovery secrets in this exported plan unless you place the file in a private vault.
Generated locally by https://passlock.to/tools/two-factor-recovery-checklist

Prioritized checklist

1
Do now

Rank the first 5 critical accounts

Put email and identity-provider accounts first, then financial, work, developer, social, and cloud storage accounts.

Account recovery usually chains through your email or identity provider.

2
Next

Add two hardware keys where supported

Enroll one daily key and one spare key for the accounts that guard everything else.

A spare hardware key gives you a phishing-resistant recovery path.

3
Next

Verify authenticator recovery

Confirm whether your authenticator syncs, exports, or requires old-device transfer. Record the answer in your recovery notes.

Phone upgrades are where many 2FA recovery plans quietly break.

4
Next

Refresh stale backup codes

Regenerate codes for important accounts and replace old copies in your storage location.

Old screenshots and notes are easy to confuse with current codes.

5
Next

Audit SMS fallback

Open security settings for critical accounts and remove text-message fallback where stronger options exist.

Partial SMS reliance is easy to forget because it stays hidden until recovery.

6
Next

Fill password manager recovery gaps

Add recovery notes to every critical account entry without storing raw backup codes in shared or synced places you do not trust.

Partial records create false confidence.

7
Keep healthy

Keep one offline recovery copy

Store a printed or sealed copy of the recovery map somewhere physically separate from your main devices.

A local disaster should not erase every path back in.

8
Keep healthy

Run a recovery drill twice a year

Pick one account and confirm that backup codes, hardware keys, and authenticator recovery instructions still work.

Recovery plans decay as phones, numbers, jobs, and devices change.

9
Keep healthy

Remove old factors and devices

After adding stronger recovery paths, remove old phones, unknown devices, and unused app passwords.

Forgotten recovery paths can become the weakest door.

Does this collect secrets?

No. It asks for broad recovery status only. Do not enter account names, backup codes, passwords, or recovery keys.

What should I fix first?

Start with backup codes for email, identity, banking, work, cloud, and password manager accounts.

Are hardware keys worth it?

For critical accounts, two hardware keys give you a strong sign-in method and a spare recovery path.

Passlock for Mac · $14 lifetime

Done. Now lock it down for real.

The browser is fine for one-off checks. The app keeps your passwords, passkeys, and notes locked behind your Mac — offline by default, no cloud account, no subscription.

  • Master lock for your whole vaultLock everything behind one Mac-native gate when you step away.
  • 4 lock types, including Touch ID & passkeysPick the unlock method per item — password, Touch ID, passkey, or master.
  • Offline & native macOS KeychainNo subscription, no cloud account, no sync server reading your secrets.
See all featuresOne-time payment · macOS 14+ · Works offline
Passlock

Vault

All items

Unlocked

Bank · login

support@bank.com

iCloud

you@icloud.com

GitHub

@you

Email · personal

you@kitze.io

Master lock activeOffline · iCloud Keychain