Disable 2FA Reset without recovery codes

New phone, misplaced recovery codes and now I can’t login to the balena dashboard.

From other posts, it looks like there is a way to disable 2FA without recovery codes.

Can I have one of those private messages explaining how?


Hi, Patrick are you still having issues accessing your account or has this been resolved?

Thanks for the reply. This has not been resolved and I cannot login. Any chance you could disable 2FA?


Sorry for the delay on this. By choosing to enable two-factor authentication, you have made it clear to us that security is as an important concern for you as it is for us. It also means you do not completely trust authenticating with just a password.

Therefore you will understand that we need to take extra measures to be sure that we are not disabling two-factor authentication for an attacker who learned your password. For this reason we would like to check a few options.

The fastest route would be if you have the recovery codes. Those can help us verify and move forward. If not, we would like to verify that you are in possession of the SSH key that you have added to your balenaCloud account.

Let us know if either of those exist for your account. And someone from our team can help take the process forward.

Thanks for the follow up. I understand.

I have the SSH and API keys for the account. The recovery codes are not available.

Great, that you have added your ssh keys in balena, for verifying those keys. Please run the following commands and send us the output of the openssl/base64 command. After we validate the signature, we will disable 2FA on your account and you will be able to login with just your password.

  # make a temporary copy of the original ssh private key
  cp  ~/.ssh/id_rsa  ~/.ssh/private_key_553.pem 

  # convert the ssh private key copy to PEM format
  ssh-keygen -p -m PEM -f ~/.ssh/private_key_553.pem 

  # sign a hash string with the private key
  echo CHANGE_ME | openssl rsautl -sign -inkey ~/.ssh/private_key_553.pem | base64 

  # delete the temporary private key copy
  rm  ~/.ssh/private_key_553.pem

If your SSH key is stored in a different location than ~/.ssh/id_rsa, edit the commands accordingly. If you have multiple SSH keys and you are unsure which key was registered with balena, it is OK to run these commands for each key, and send us the output for all of them. Let us know if you have trouble with these instructions.

Should I post the results here?

Hello, no please do not post the results here, please send them in a message to a balena team member so that we can review them and they can remain secure.

Hello, thank you for sending the results, we have verified the key and have reached out to our backend team requesting that MFA be removed from your account. We will let you know when it has been done.