Account recovery for organizations
Know the five ways your users get back in when a credential is lost — and what to tell them before they lose anything.
The five recovery paths
Recovery is layered so that losing one credential never means losing the account — and so that no single weak path undermines the rest.
| Path | When it applies |
|---|---|
| Password lost; mailbox still accessible. A reset link or one-time code is sent to the account email. | |
| Recovery codes | MFA factor lost. One-time codes issued at enrollment; each code works once. Stored only as salted PBKDF2 hashes — The Quantum Club cannot read them back. |
| Passkey | Password and MFA lost, but a registered passkey survives on a device. Signing in with the passkey restores access directly. |
| SSO | The account belongs to an SSO-connected organization. Access follows the identity provider; recover there, not here. See SSO. |
| Human concierge | Everything else is lost. A verified human-review process, deliberately the slowest path. |
Concierge verification
The concierge path never takes a caller's word for identity. Before a recovery link is issued, the reviewer must confirm at least two of five independent checks:
- Government-issued ID
- Account-knowledge questions
- A vouch from an existing organization admin
- Email domain match with the organization
- A confirmed phone number on file
The two-of-five threshold is enforced server-side; a single sympathetic support interaction cannot restore an account.
Social-engineering attacks target recovery flows precisely because they bypass strong sign-in. The concierge checklist exists to make "I lost everything, please let me in" a verifiable claim, not a persuasive one.
Anti-enumeration
Recovery endpoints return identical responses whether or not an email address has an account. An attacker probing the recovery flow learns nothing about which addresses belong to The Quantum Club. Tell your users not to read meaning into a generic confirmation message — it is generic on purpose.
What to tell your users
Save recovery codes at enrollment
The codes are shown once. Users should store them in a password manager immediately — they cannot be re-displayed, only regenerated.
Register a passkey on a second device
A passkey on a phone plus one on a laptop means a single lost device is an inconvenience, not an incident.
Know who your admin vouchers are
For the concierge path, an admin vouch is one of the five checks. Decide in advance which admins are authorized to vouch, and verify out-of-band before vouching.
SSO users recover at the identity provider
If your tenant uses SSO, account recovery is your IdP's process. Do not expect The Quantum Club to override a suspended IdP identity.
Properties worth knowing
- Recovery sessions are short-lived and single-use; a recovery link that has been consumed cannot be replayed.
- Concierge-issued links have a slightly longer validity window to accommodate the human handoff, but remain one-time.
- Repeated recovery attempts are rate limited and feed the platform's anomaly detection, which watches for recovery-flow abuse.
You can list all five recovery paths, explain the two-of-five concierge checklist, and your users know to save recovery codes and register a second passkey before they need them.
MFA and sessions
Know how MFA is enforced, when grace periods apply, and why some operations demand a fresh second factor mid-session.
Vulnerability disclosure
How to report a security vulnerability in The Quantum Club, what is in scope, and what to expect when you do — our coordinated disclosure policy and safe-harbor commitment.