This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Cold sweat: recovery codes didn't work!

  • 5 svar
  • 2 har dette problemet
  • 1 view
  • Siste svar av cor-el

more options

Hi there,

I just started a seldom-used FF profile to have it synced (you lose FF sync connection if you don't log in within 2 months, I think…). I set up my account for decent security: 2FA, wrote down the recovery key and recovery codes.

As I changed the password recently (didn't re-generate said recovery strings), I expected the disconnected state, all right. So I proceed on entering my new password, and out of curiosity, decide to make as if I didn't have the 2nd factor on hand

The Firefox Sync dialog page now asks me for a "Recovery code" that's 10 digits long. To my great surprise, none of those I saved when first setting up the account worked! I know I didn't use any of them.

More, the terminology had me confused: when is a recovery key used vs. code? Both files contain "Recovery codes" in their name, besides, a "digit" is: "1 any of the numerals from 0 to 9, especially when forming part of a number." Nowhere in Firefox Sync a string of 10 "digits" generated: the "recovery key" is 32 character long, in 8 sets of 4 characters, and the "recovery codes", as I understood it, 10 "character" long (and there are 8 of them), number and letters, so not digits.

Why none of my codes worked? Would have it been necessary to generate a new set after changing password?

Hi there, I just started a seldom-used FF profile to have it synced (you lose FF sync connection if you don't log in within 2 months, I think…). I set up my account for decent security: 2FA, wrote down the recovery '''''key''''' and recovery '''''codes'''''. As I changed the password recently (didn't re-generate said recovery strings), I expected the disconnected state, all right. So I proceed on entering my new password, and out of curiosity, decide to make as if I didn't have the 2nd factor on hand The Firefox Sync dialog page now asks me for a "Recovery code" that's 10 ''digits'' long. To my great surprise, none of those I saved when first setting up the account worked! I know I didn't use any of them. More, the terminology had me confused: when is a recovery '''''key''''' used vs. '''''code'''''? Both files contain "Recovery codes" in their name, besides, a "digit" is: "1 any of the numerals from 0 to 9, especially when forming part of a number." Nowhere in Firefox Sync a string of 10 "digits" generated: the "recovery key" is 32 character long, in 8 sets of 4 characters, and the "recovery codes", as I understood it, 10 "character" long (and there are 8 of them), number '''and''' letters, so not digits. Why none of my codes worked? Would have it been necessary to generate a new set after changing password?

All Replies (5)

more options

You use the 32 character recovery key when you reset the password to prevent losing data stored on the Sync server.

You use a 10 byte recovery code if you use 2FA and do not have access to your authenticator app to generate the 6 byte TOTP code. Note that you still need 2FA access, either via the app or via a recovery code, if you want to reset the password and use 2FA.

more options

I think I understand despite the even more confusing usage explanation: now a digit is the same as a character is the same as a byte. However i learnt that a character (number, letter or symbol), at least in UTF8, is represented on 8 bits i.e. one byte, so the recovery codes consists of strings of 10 characters each, or 80 bytes, while FF Sync server asks for 10 digits as if it were a bank card NIP.

Now the TOTP code is supposed to be 6 bytes long, i.e. 48 bits, which is correct, but still referred to by FF Sync as digits and properly describes what the user will see on his/her TOTP-generating app or token.

Confusing, isn't it?

But still, why none of my codes worked? Would have it been necessary to generate a new set after changing password? If not, this is rather worrisome.

more options

Byte is the same as a character in this context as only normal 8 bit ASCII is used for the recovery key and recovery codes :wink:

more options

…Agreed but the FF sync login page refers to "digits", and "character" or "byte" are nowhere to be found.

In any case, was it necessary to re-generate recovery codes after changing password? That would defeat the purpose of recovery codes IMHO.

more options

The TOTP code is six digits, but the recovery key and 2FA recovery codes can include alphanumeric characters as well. I don't think it is worth the time and effort to discuss how to word those character strings, but to concentrate on the issue you reported if this is still not fixed.