Account recovery

inboxy uses passkey + TOTP for sign-in (no passwords). Recovery falls back to recovery codes — 10 single-use codes you save at signup.

Recovery codes

• Generated on signup, shown once.
• 10 codes, each usable once. Each consumes one slot when used.
• When you have ≤ 3 codes left we email you a reminder.
• You can regenerate the set at any time from Account → Security (lands in v0.3a) — doing so invalidates the old set.

Store them somewhere outside the browser that holds the passkey. A password manager is fine. A paper printout in a desk drawer is fine. The "Notes" app on the same device as the passkey is not fine.

Lost passkey, have TOTP + recovery code

Use a recovery code at sign-in, then re-register a passkey from Account → Security.

Lost TOTP, have passkey + recovery code

Use a recovery code at sign-in, then re-enrol TOTP from Account → Security.

Lost both, have recovery codes

Sign in with a recovery code. Re-register both factors.

Lost everything

There is no support backdoor. If you have lost your passkey, your TOTP, and all 10 recovery codes, your account is unrecoverable.

This is a security feature, not an oversight. We do not hold a "reset by email" capability — if we could, an attacker who SIM-swapped your phone could too.

What we can do, on receipt of an Article 17 erasure request sent from your personal_email of record:

• Permanently retire all your @inboxy.net addresses (no future user can re-mint them).
• Hard-delete your account row, messages, attachments, and audit-log entries (subject to ODPA retention requirements).

Email support@inboxy.net from the address on file. We will verify by checking the personal_email matches; we will not accept "I'm locked out, please reset" requests from any other address.

Best-practice setup

• Passkey on your primary device (phone or laptop with a hardware enclave).
• TOTP in an authenticator app on a different device.
• Recovery codes printed out and stored physically.