You must not lose your Rescue Code. It can never be recovered or recreated. You could use SQRL for a lifetime without ever needing your Rescue Code even once if you never forget your identity’s password and if you never need to rekey your SQRL identity. But if you are making a commitment to SQRL you really should have your identity’s Rescue Code.
But let’s say that you created a SQRL identity in the early days, didn’t take it seriously enough, and lost or misplaced your identity’s Rescue Code. For one thing, if you don’t know where your printed Rescue Code has gone, it may not be safe to continue using a SQRL identity when someone might have found its Rescue Code. So…
- First, create a new replacement SQRL identity which you will now take seriously. Print out its identity and Rescue Code and store them in a known safe place.
If SQRL sites are supporting SQRL’s managed shared access (msa) facility you can handle the replacement of your old and no longer fully useful SQRL identity yourself:
- Sign in with the old identity you are retiring.
- Go to the site’s SQRL managed shared access page and issue an invitation with “management” rights.
- Sign out of the site with the retiring identity.
- Sign in with your new replacement identity and use the invitation to join your account.
- Use your management rights to delete the old retiring identity. You will be granted ownership of the account at that site.
You will need to do this for all sites where you use SQRL which support managed shared access. It’s not automatic, but it’s guaranteed to work. For sites not offering managed shared access you will need another solution.
You will need to:
- Sign in to the sites where you need to retire your original identity with the “Request only SQRL sign in” and “Request no account recovery” options turned off so that your security is reduced and all possible forms of account recovery will be available.
- Contact the site’s administration and use whatever means they may have for replacing a lost or no longer trusted SQRL identity. It is against SQRL policy for sites to change SQRL identities for this reason since SQRL builds this in with its Rescue Code. But, at least in the early days, we expect that if SQRL users can arrange to somehow convince a site that they are the authentic site user – perhaps by falling back upon their original username and password and email recovery – then it seems reasonable that a site might be talked into helping.