Tryst.link Site Update: We Are Removing Emergency Recovery Codes

Emergency Recovery Codes—the letters and digits you received when setting up 2-step login (2SL)—are being removed as of the 2nd of June, 2026. 

Should you ever lose access to your authenticator app, passkey, or physical security token, you will now reach out to our Access team instead of using an emergency recovery code. Our Access team will then work with you to verify your identity and help you regain entry to your account. 

Day-to-day, nothing will change about how you log into Tryst.link. These changes only apply in the rare event you lose your authenticator app, passkey, or physical security token. 

What exactly is an Emergency Recovery Code?

Emergency Recovery Codes are codes you were provided with when setting up 2-step login on your account. Consisting of the letters and digits, they were intended for use only as a last resort, for instance, if your phone broke or was lost, or you lost access to your authenticator app.

Why are we making this change?

We are removing Emergency Recovery Codes to better protect your account from scammers.

Our security monitoring shows that Emergency Recovery Codes have become a primary target for account takeovers. Scammers have been using fake emails and "copycat" websites to trick providers into surrendering their codes and gain unauthorised access to their Tryst.link profiles.

By phasing out these codes, we are shutting down the scammers and keeping each account more secure.

What's replacing them?

We’ve created a dedicated Access team to help you regain access if you ever get locked out. 

We know that being locked out of your account is stressful and directly impacts your work. Having real humans review recovery requests is a change, but it will help keep bad actors out and ensure only you access your account. 

We strongly recommend switching from an authenticator app to passkeys or a physical security token for the strongest protection (see the section “it’s safer to use passkeys and physical security tokens” below for more on these options). 

What happens if I lose access to my account?

On the off chance you lose access to your authenticator app, passkey, or physical security token, you will create a recovery request and our new Access team will work with you directly to verify your account ownership and set up a new form of 2-step login.

It’s safer to use passkeys and physical security tokens 

Now is the perfect time to upgrade your account security by switching away from an authenticator app, to using passkeys, or physical security tokens like YubiKeys.

A passkey is a secure, password-free login method that uses biometric authentication (a fingerprint or face scan) or a PIN. 

A physical security token is a small device that you plug into your phone or laptop. 

While authenticator apps are good, passkeys and physical security tokens are the best possible security tools available. Here are some more good reasons why we recommend them:

Passkeys and physical tokens are tied to your physical devices: Both rely on your phone or computer to verify you. Without having your actual, physical device in their hands, a scammer cannot log in.

Passkeys and physical tokens are easy to use: You can use your device’s built-in security such as a fingerprint reader or facial recognition, or tap a button on your physical security key. You can even register separate tokens for your phone and laptop.

Passkeys and physical tokens are phishing-resistant: they only work on the real Tryst.link website. Even if a scammer tried to trick you into visiting a fake site, your passkey or token would “spot” this, and refuse to authenticate your login. 

To learn more about how these options work and how to set them up, we have sex worker–centric articles about passkeys and physical security tokens on our blog:

• Ask Ada: What's a passkey? Do I need one as a sex worker?
• Ask Ada: What's a physical security token? Do I need one?

Do Emergency Recovery Codes really have to go?

Emergency Recovery Codes do not expire unless you’ve used them and because of this “long life” they have become a prime target for scammers running fake websites. By removing recovery codes entirely, we are cutting off this avenue of attack and helping to protect your Tryst.link account.

If an attacker tries to use a code generated by an authenticator app on your smartphone, they will only have a few seconds before that code expires. These kinds of login codes make authenticator apps relatively safe, although passkeys and physical security tokens really are the best option. 

Scammers are targeting our community using phishing attacks. They build fake websites that look very similar to Tryst.link and send panicked messages trying to trick you into logging in to the fake site. They try to leverage a heightened emotional state regarding your account, hoping you don't notice the signs that the site you're on isn't really Tryst.link. 

When you visit a fake site, you're prompted to enter your username, password, and recovery code. If the fake site gets this information from you, scammers are then able to log in to the real Tryst.link and take over your account. Removing Emergency Recovery Codes as part of 2-step login means there is simply no code to enter.

If you have any feedback about 2-step login, the removal of recovery codes, or any other features on Tryst.link, please get in touch! Fire up your email client and send a message to chris@tryst.link — I can't respond to every message, but I will absolutely read them all.

Are you a sex worker with a story, opinion, news, or tips to share? We'd love to hear from you!

We started the tryst.link sex worker blog to help amplify those who aren't handed the mic and bring attention to the issues ya'll care about the most. Got a tale to tell? 👇☂️✨