Emergency Kit & Recovery
How to back up your Locked Vault recovery key and restore access on a new device.
What is your emergency kit?
When you create your first Locked Vault, FactorCat generates a master key on your phone. This key encrypts everything in your Locked Vaults — FactorCat’s servers never see it.
During setup, the app shows your master key in two forms:
- Recovery phrase — 12 easy-to-read words (based on the BIP39 standard)
- QR code — a scannable image encoding the same key
These are your emergency kit. If you lose your phone, this is the only way to recover your Locked Vault factors on a new device.
Your first safety net: OS backup
Your master key is stored in your phone’s secure keychain. On iOS, iCloud Keychain typically syncs this automatically. On Android, Google’s encrypted backup includes it by default. If you restore to a new device, your Locked Vaults will likely recover without any action on your part.
However, OS backup behavior varies by device, settings, and platform — FactorCat does not control or guarantee it. Don’t rely on it as your only backup.
Your reliable backup: save your recovery key
Your recovery phrase and QR code are the backup you fully control. Save at least one copy somewhere safe:
- Write down the 12 words on paper and store it securely (a safe, a lockbox, wherever you keep important documents)
- Photograph or screenshot the QR code and keep the image somewhere you control — not in a cloud photo library that others might access
- Do both for redundancy — the words and QR encode the same key
You can view your recovery key again at any time: open the FactorCat app, go to Settings > Security > Show Master Key.
Without either OS backup or your saved recovery key, your Locked Vault data is permanently irrecoverable. Locked Vaults use zero-trust encryption — your key exists only on your device and in your backup. FactorCat never had your master key, so there is no reset, no override, and no backdoor. This is the cost of zero-trust security, and it’s typical of most phone-based authenticators.
How to recover on a new device
If you lose your phone, replace it, or need to set up FactorCat on a fresh device:
- Install FactorCat on your new device from the App Store or Google Play
- Sign in to your account — use any method you signed up with (Google, Apple, email, or scan a pairing QR from your browser)
- The app detects your Locked Vaults and shows a recovery screen asking for your master key
- Enter your 12-word recovery phrase or scan your recovery QR code — the app verifies the key matches your vaults
- Your Locked Vaults are restored — all factors are accessible again
Your Cloud Vault factors are available as soon as you sign in, with no recovery key needed. Only Locked Vaults require the recovery step.
Important: recover before creating new Locked Vaults
If you skip the recovery screen and create a new Locked Vault instead, the app generates a new master key for that vault. Your new key cannot decrypt your previous Locked Vaults — they use different encryption keys.
Always restore your existing master key first if you have Locked Vaults on your account. The app will prompt you to do this automatically when you sign in.
If you still have your old device
If your old phone still works (even with a cracked screen or bad battery):
- Open FactorCat on the old device
- Go to Settings > Security > Show Master Key
- Confirm on your device
- Write down the 12 words or scan the QR with your new device
This works even without an internet connection — the master key is stored locally on the device.
I don't have my recovery key
If you never saved your recovery phrase or QR code, and you no longer have access to any device with your master key:
- Your Locked Vault factors cannot be recovered. FactorCat uses zero-knowledge encryption — we never have access to your master key. There is no reset, no override, and no backdoor.
- Your Cloud Vault factors are unaffected. Anything stored in a Cloud Vault is available as soon as you sign in on any device.
- You can still use FactorCat. Sign in on your new device, skip the recovery prompt, and continue using Cloud Vaults. You can create new Locked Vaults going forward — they will use a new master key.
To re-enable MFA on accounts whose factors were in a lost Locked Vault, you’ll need to go through each service’s account recovery process and set up new factors.
Avoiding this in the future
- Open Settings > Security > Show Master Key and save your recovery phrase now, before you need it
- Store your backup somewhere you’ll still have access to even if your phone is lost or destroyed
- Consider keeping your most critical accounts in a Cloud Vault (which recovers automatically) and reserving Locked Vaults for accounts where you specifically want zero-knowledge encryption
Cloud Vault vs Locked Vault recovery
| Cloud Vault | Locked Vault | |
|---|---|---|
| Recovery on new device | Automatic on sign-in | OS backup likely restores automatically; recovery phrase/QR as reliable fallback |
| FactorCat can help recover | Yes — keys are cloud-managed | No — zero-knowledge encryption |
| Phone loss impact | None — sign in and factors are there | Depends on OS backup + saved recovery key |
| No backup at all | Still recoverable | Permanently irrecoverable |
| Best for | Most accounts, convenience | High-security accounts, zero-trust |
Not sure which to use? Start with Cloud Vault — it’s secure, convenient, and recovers automatically. Move high-value accounts to a Locked Vault when you’re comfortable with the recovery model. Learn more about vault types on our security page.
What about server-side backups?
FactorCat also backs up your encrypted data daily — vault encryption keys, encrypted secrets, and all account data — with immutable, tamper-proof storage on a separate cloud provider. But for Locked Vaults, these backups protect the encrypted blobs only. Without your recovery key, the backed-up data is unreadable — by us and by anyone else. That’s the point of zero-trust encryption.
Server-side backups protect against infrastructure failures. Your recovery key protects against losing your phone. You need both. Learn about our backup infrastructure →