UniAuth.ID
Recovery Phrase
Getting StartedQuick StartAccount SetupConfigurationAuthenticationMulti-Factor AuthBackup CodesPassword PolicyRoles & PermissionsSessionsOAuth2 / OIDCDevice FlowTokensIntegrationsWebhooksSCIM ProvisioningSDKsReactNext.jsPHPAPI ReferenceError ReferenceRate LimitsSecurityRecovery PhraseOperationsDeploymentAdmin GuideChangelog

Recovery Phrase

UniAuth supports BIP-39 mnemonic recovery phrases as a secure, offline method for account recovery. Unlike email-based resets or backup codes, a recovery phrase gives you full sovereignty over your account — no third-party service required.

What is a Recovery Phrase?

A recovery phrase (also known as a seed phrase or mnemonic) is an ordered list of common English words selected from the BIP-39 wordlist (2,048 words). These words encode a cryptographic secret that can be used to prove ownership of your account and reset your password.

The phrase is generated entirely on the server using a cryptographically secure random number generator. It is shown to you once during setup and is never stored — only a derived hash is kept for verification.

Security Levels

UniAuth offers two security levels for recovery phrases:

LevelWordsEntropyUse Case
Standard12 words128-bitSuitable for most users. Provides strong security against classical computing attacks.
Post-Quantum Safe24 words256-bitRecommended for high-security accounts. Resistant to both classical and quantum computing attacks.

The 24-word option provides 256-bit entropy, which exceeds the security margin needed to resist Grover's algorithm on a future quantum computer (which effectively halves symmetric key strength).

Optional Extra Passphrase

During setup, you may optionally provide an extra passphrase (sometimes called the "13th word" or "25th word"). This passphrase is mixed into the seed derivation process, adding an additional layer of security:

  • Even if someone obtains your word list, they cannot recover your account without the passphrase.
  • The passphrase is never stored anywhere — you must remember it.
  • If you set a passphrase during setup, you must provide the exact same passphrase during recovery.
  • There is no way to recover a forgotten passphrase.

Setting Up a Recovery Phrase

  1. Navigate to Account > Security > Recovery Phrase.
  2. Click Generate Recovery Phrase.
  3. Select your security level: 12 words (standard) or 24 words (post-quantum safe).
  4. Optionally enter an extra passphrase.
  5. Your recovery phrase is displayed. Write it down on paper immediately.
  6. Confirm by entering the phrase back to verify you recorded it correctly.
  7. Your recovery phrase is now active. The original phrase is discarded from server memory.

Security Best Practices

Critical Security Rules

  • Write it on paper. Physical copies cannot be hacked remotely.
  • Store it offline. Never save it in a notes app, cloud storage, email, or password manager.
  • Never share it. UniAuth support will never ask for your recovery phrase.
  • Never screenshot it. Screenshots can be synced to cloud services or accessed by malware.
  • Store copies in separate secure locations. Consider a fireproof safe or safety deposit box.
  • Keep the word order. The sequence matters — a shuffled phrase will not work.

Recovering Your Account

If you lose access to your account, follow these steps:

  1. Go to the login page and click Forgot Password.
  2. Select the Recovery Phrase tab.
  3. Enter your email address.
  4. Enter your recovery phrase words in the correct order.
  5. If you set an extra passphrase during setup, enter it in the passphrase field.
  6. Choose a new password that meets the strength requirements.
  7. Submit. If the phrase and passphrase are correct, your password is reset and you are logged in.

Technical Details

The recovery phrase system uses industry-standard cryptographic primitives:

Seed Derivation

The mnemonic words and optional passphrase are combined using PBKDF2-HMAC-SHA512 with 2,048 iterations, following the BIP-39 specification:

seed = PBKDF2(
  password: mnemonic_words (space-separated, normalized to NFKD),
  salt:     "mnemonic" + passphrase,
  iterations: 2048,
  hash:     SHA-512,
  keyLength: 64 bytes
)

Storage

The derived seed is hashed with SHA-512 before storage. Only this hash is persisted in the database. The recovery phrase itself, the passphrase, and the intermediate seed are never stored and are discarded from memory after setup.

stored_hash = SHA-512(seed)
// The phrase and seed are zeroed from memory after hashing

Verification

During recovery, the same PBKDF2 derivation is performed with the submitted phrase and passphrase. The resulting seed is hashed with SHA-512 and compared against the stored hash. If they match, the user is authenticated and can set a new password.

Recovery Methods Compared

FeatureRecovery PhraseBackup CodesEmail Reset
Offline recoveryYesYesNo
ReusableYes (unlimited)No (single use each)Yes
Works without email accessYesYesNo
Post-quantum optionYes (24 words)NoNo
Extra passphrase layerYesNoNo
Ease of useModerateEasyEasiest

For maximum security, enable both a recovery phrase and backup codes. Use the recovery phrase as your primary offline recovery method, and keep backup codes as a fallback for 2FA bypass scenarios.