Recovery Phrase

Your ultimate backup key - a 24-word phrase that can restore access to your account if you lose everything else. Secure, offline, and extremely secure with current cryptographic standards.

What is a Recovery Phrase?

A recovery phrase is your ultimate backup key - a unique sequence of 24 words that can restore full access to your account, even if you lose:

  • Your password (forgotten or compromised)

  • All your passkeys (lost devices or hardware keys)

  • Phone access (stolen, broken, or lost)

It uses HMAC-SHA256 cryptography with zero-knowledge architecture - we never see or store your phrase.

Example Recovery Phrase

24 words from a standardized list

1. abandon
2. ability
3. able
4. about
5. above
6. absent
7. absorb
8. abstract
9. absurd
10. abuse
11. access
12. accident
13. account
14. accuse
15. achieve
16. acid
17. acoustic
18. acquire
19. across
20. act
21. action
22. actor
23. actress
24. actual

⚠️ This is an example - your phrase will be completely unique

How It Works

The Recovery Process

From setup to recovery - here's how your recovery phrase protects your account

1. Setup

Generate your unique phrase

System generates 24 random words from BIP39 wordlist

Derives a cryptographic key from your phrase on your device

A secure hash of this key is sent to server (original key stays with you)

You write down the 24 words in order

2. Store Safely

Keep it secure offline

Write on paper, store in safe or safety deposit box

Consider splitting between multiple secure locations

Never store digitally (no photos, cloud, password managers)

Don't share with anyone, including support staff

3. Recovery

Restore account access

Enter your 24 words in exact order

System recreates your cryptographic key locally

Proves ownership by signing a random challenge

24-hour waiting period begins, allowing you to deny unauthorized attempts from other sessions

Security Features

Built for Maximum Security

Zero-Knowledge Architecture

We never see your recovery phrase - not even encrypted. Your device generates the phrase and derives a cryptographic key. We only store a bcrypt hash of this key, making it mathematically impossible for us (or attackers) to reverse-engineer your phrase or access your account.

Automatic Security Reset

After using your recovery phrase once, it becomes 'compromised' in our system - you must immediately reset your password, add new passkeys, and generate a new recovery phrase. This prevents attackers from reusing a stolen phrase.

Verification Challenge

We verify your phrase using challenge-response cryptography. Your browser signs a random 256-bit challenge with HMAC-SHA256 using your derived key. Our server verifies this signature matches the stored key hash - without ever seeing your phrase.

Easy Rotation

Generate a new recovery phrase anytime. The old phrase immediately becomes invalid, and your new phrase takes over. Rotation is atomic and transaction-safe - both succeed or both fail together.

Best Practices

How to Store Your Recovery Phrase

DO

  • Write it down on paper clearly

  • Store in a safe or safety deposit box

  • Consider metal backup plates for fire resistance

  • Split between multiple secure locations

  • Verify word order and spelling

DON'T

  • Store in password managers or notes apps

  • Take photos or screenshots

  • Email it to yourself or others

  • Store in cloud storage (Dropbox, Google Drive)

  • Share with anyone, even support staff

Critical Security Warning

Anyone who has your 24-word recovery phrase can attempt to access your account. Treat it with the same security as you would a deed to your house, passport, or financial account information. Recovery attempts trigger a 24-hour waiting period, and if you're logged in, you'll receive a confirmation prompt to approve or block the attempt. If you suspect your phrase is compromised, immediately log in and generate a new phrase to invalidate the old one.

Frequently Asked Questions

What is a recovery phrase?
A recovery phrase is a unique 24-word sequence that acts as a master key to your account. See it as a super-password that can restore access to your account if you lose all your other login methods (password, passkeys, phone access).

How is this different from a password?
Unlike a password that's stored on our servers (even if encrypted), your recovery phrase generates a cryptographic key through BIP39 and PBKDF2. We only store a bcrypt hash of this key - meaning even our engineers can't access your account with it. It's mathematically impossible for us to reverse-engineer your recovery phrase.

Why 24 words instead of a shorter code?
24 words provides 256 bits of entropy, making it virtually impossible to guess or brute-force. While it seems long, it's actually more secure and easier to write down accurately than a random string of characters. The words come from a standardized list (BIP39), ensuring they're easy to spell and recognize.

Where should I store my recovery phrase?
Store it offline in a secure location: written on paper in a safe, a safety deposit box, or split between multiple secure locations. Never store it digitally (no screenshots, password managers, cloud storage, or emails). Treat it like you would a deed to your house or passport.

What happens if I lose my recovery phrase?
If you lose your recovery phrase but still have access to your account (via password or passkey), you can generate a new one immediately. This is why it's critical to store your recovery phrase securely from day one. It's your only backup if you lose access to all other authentication methods.

What is the automatic security reset?
When you use your recovery phrase to access your account, it becomes 'compromised' in our system as a security measure. This means you must complete a security flow (reset password, add new passkey, generate new recovery phrase) before gaining full access. This prevents attackers from using a stolen phrase multiple times.

What about physical security threats?
Your recovery phrase is vulnerable to physical theft, coercion, or duress. Store it securely and consider that anyone who physically accesses it can control your account. Never reveal it under pressure - your safety is more important than your account. Use multiple secure locations and consider splitting the phrase if appropriate.

How do I protect against social engineering?
Never share your recovery phrase with anyone claiming to be from WIGGWIGG support, law enforcement, or technical assistance. We will never ask for your recovery phrase. Legitimate support can help you generate a new phrase if you have account access, but will never request your existing phrase.

Ready for Ultimate Security?

Generate your recovery phrase and secure your account.