Blog Releases Issues Docs Download Status Looking Glass Contact Sales
Network Resilience Recovery Security Pricing
Developers
Developer overviewCLI, SDKs, webhooks InfrastructureDocker, K8s, Terraform, CI/CD. AI AgentsClaude Code, Codex, Cursor, Hermes, OpenClaw. MSP ToolsDatto, NinjaOne, ConnectWise, N-able. Browser extensionAutofill, device-based login, generator Mobile appsNative iOS and Android Claude CodeScoped tokens CodexOpenAI integration CursorAgent mode Hermes AgentHermes Agent by Nous Research OpenClawAgent resolver ImportFrom any password manager
Resources
Blog Releases Issues Docs Download Status Looking Glass Contact Sales
Solutions
Consumer SMB Enterprise MSP
Language
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Sign in Gratuit pour toujours Get started

Introduction to recovery

Your hardware key — Touch ID on your laptop, the biometric on your phone, a YubiKey on your keyring — is what unlocks your vault. That is the point: only you, holding the key, can reach your data.

But what happens when you no longer have that key? Everyone asks the question sooner or later, and it deserves a real answer.

For starters, we recommend linking at least two keys, on two different devices. If you lose one, you simply use the other to register a replacement — no crisis, no recovery flow needed. For the rarer case where every key is gone at once, we built a cryptographic recovery scheme paired with live human verification.

Recovery is easier to understand if you walk through one. This page follows a user from the moment she sets things up to the moment she needs to recover — with a realistic example of what the verification call actually sounds like.

Setting up

When Mia signs up for Clavitor, she creates her account with a single Touch ID tap on her laptop. The next screen prompts her to set up recovery. She clicks Generate recovery code and taps her key once more to authorize it — Clavitor never generates a recovery code without that fresh physical tap, so a hostile browser extension or AI agent on her laptop cannot trigger one silently.

The page then shows her 48 random characters in an 8×6 grid:

xK4mP9  q7nL3R  t8sV2W  aJ6dF1
hY9gB4  nM5cE7  zP2tQ8  vK3rL6

Below the grid there is a button: I have saved this. Until she clicks it, nothing is finalized — Clavitor holds the paired anchor in a pending slot, ready to activate but not yet live.

Before clicking, Mia emails the code to herself with the subject "Clavitor recovery — don't delete," and prints a copy that goes into the filing cabinet at home. Only then does she click the button. Her piece is now safe with her; Clavitor's paired anchor is now active on the server.

Then she is asked to set her verification material — the thing Clavitor will use to confirm it is her if she ever needs to recover. She picks her public Instagram profile:

https://instagram.com/mia.travels

She has been posting there for six years. Hundreds of photos, dozens of captions, lots of detail. She clicks save, taps her hardware key again to confirm. Done.

Eight months later

Mia is on a trip and leaves her laptop in a taxi. Her hardware key was a Touch ID built into that laptop. The laptop is gone, the key is gone, and so is the way she normally signs into her vault.

She is not happy, but she is not panicked. She still has her recovery code — printed copy in the filing cabinet at home, emailed copy in her inbox on her phone. And she remembers her verification material.

From her phone, she emails support@clavitor.ai:

> Subject: Need to recover my account > > Hi — my account is mia@example.com. I lost the laptop with my hardware key on it yesterday. I have my recovery code. When can we do the recovery call?

A few hours later, support replies with a Zoom link for a slot the next morning.

On the call

Mia joins the Zoom call. An operator at Clavitor confirms her name and account, then says:

> "Could you start by telling me what you set as your verification material?"

> "My Instagram profile — mia.travels."

> "Got it, looking at it now. In your post from your trip to Lisbon two weeks ago — there is a small olive-green leather handbag on the table next to your coffee. Could you bring it up to the camera so I can see it?"

Mia walks over to her suitcase, pulls out the bag, holds it up to her phone's front camera. The operator nods.

> "Good. And the silver bracelet you are wearing in your birthday post — do you have that with you?"

Mia checks her jewelry pouch. The bracelet is there. She holds it up so the camera sees it clearly.

> "Perfect. Reading you the session code now. Write it down."

The operator reads the code aloud. Mia writes it on the back of an envelope.

Back at the browser

Mia opens clavitor.ai/recover on a fresh laptop she has borrowed from her host. She types in:

  • Her email.
  • The session code from the call.
  • Her 48-character recovery code.

She clicks Recover. The page asks her to plug in her new hardware key — she has already bought a replacement YubiKey from a local store — and tap it. It registers. The page says she is back in.

The whole recovery, once the Zoom call started, took about 20 minutes.

Why this verification worked

Notice how the call started. The operator did not say "show me your Instagram" or "what is your code phrase?" They asked Mia to tell them what she had set up. An attacker holding Mia's recovery code does not know which category to claim — Instagram? A code phrase? A pre-declared item? — and the operator will not hint. Pick the wrong category and the operator says there is no match. Call over.

With the right category in hand, the rest of the call demands what an attacker cannot fake. Mia's Instagram is public. A determined attacker could study her photos for hours and answer dozens of trivia questions about them. We assumed exactly that.

The defense is physical proof of possession. The operator picks specific items visible in the photos and asks Mia to hold them up to the camera, live, on the call. The attacker can see the bag in the photo. The attacker cannot reach in and pull it out.

The operator also reads the whole frame. They ask for the green bag; they also see Mia's three kids running through the kitchen behind her, the painting on the wall, the dog asleep on the couch. Anything in that frame that matches her Instagram is bonus confirmation. The foreground is what we asked for. The background is signal an attacker could not have arranged.

The operator is a human, exercising judgment throughout. Mia is travelling — she does not have every item from every old post with her. The operator works with what she could realistically have on the road: the bag from a recent trip, the jewelry she wears every day. They will not refuse her over a watch she left at home. They will refuse her if she cannot produce anything from the source at all.

To impersonate Mia, an attacker would need:

  • Her recovery code, stolen from wherever she stored it.
  • The knowledge that she chose Instagram as her verification material, and to claim so when asked.
  • Physical possession of items Mia owns — the bags, the jewelry, the souvenirs visible in her photos — to hold up on the call.
  • A live Zoom call with a human picking which items to ask about on the spot.

The operator never commits in advance to which item they will ask about. They pick when they see you on the call, from whatever post catches their eye. Even an attacker who somehow obtained a few of Mia's belongings would trip when the operator asks about something they did not happen to steal.

Your verification material does not have to be Instagram

Mia chose her Instagram because it suited her. Other people pick something completely different. The principle is the same in every case: the verification material has to let the operator demand something only the real you can produce, live on the call.

We deliberately do not ask for a passport, a driver's license, or a birth certificate. Those are easier to forge than your parked car. We ask for the car, not the document.

We also do not ask where your parents met, the brand of your first car, the name of your first pet, or any of the other "security questions" the rest of the industry still leans on. Those are researchable on social media, shared in throwaway quizzes, and leaked in every breach. You decide what we verify against — we never invent a question you have to remember and the internet has the answer to.

Two approaches work:

Physical proof of possession — point us at a source (a public photo album, an unlisted YouTube video, a video tour of your living room) and the operator will pick something from it for you to show. Or pre-declare a specific verifiable fact, like "I drive a Toyota with license plate ABC-123, parked outside my apartment window." On the call, you point your camera out the window and the operator reads the plate. Either way, you bring the actual item, live, turned in your hands or framed in your view — not a photograph. Photos can be screenshotted, edited, or generated. An object on a moving video, in your hands, in your view, cannot.

Knowledge proof — a code phrase only you would know: a line from a personal poem, a sentence you invented, an inside joke, or just any phrase you will remember and an attacker will not. For the security-minded: a long random entropy string you generated yourself, stored separately. You recite or paste it on the call. A human listens, not a regex — a shortened first name, a missed accent, a small typo will not trip you up. A different phrase will. And the attacker gets one human-judged attempt per call, not a million guesses per second.

We let you pick because no template fits everyone. Choose what works for your life — and choose with the live-on-call demand in mind.