Our login recovery process applies in very specific, rare situations:
You have lost both your login information and access to your email address.
You have two-factor authentication configured, your two-factor device is lost or broken, and you don't have one-use recovery codes saved.
We determine that both control of a membership and the associated email address have been hijacked or transferred to someone other than the named member.
The worst case scenario is that you have two-factor authentication configured that isn't working and you didn’t save any one-use recovery codes and you don't know your login and password and your member contact email address isn't working. This case is so spectacularly unlikely that even if your recovery settings are lower, you must complete all possible verification steps to regain access to your membership. Seriously, don't let this happen!
To complete the login recovery process, a certain number of login recovery actions must be completed successfully. The process is designed to be mildly inconvenient for our members and impossibly difficult for others. Members who keep good records, always make sure their contact information with us is up-to-date, and set up additional recovery options can complete the process with as little as 10 minutes of work on their part. Most members complete it with less than 30 minutes of work.
Although burdensome and inconvenient, the process is typically not actually difficult unless there are extenuating circumstances. For example, if you gave us a fake name when you signed up, you're probably about to have a very bad day.
For more information about the login recovery process, please review the entire Login Recovery section of this FAQ.
Login recovery actions help you regain access to your membership during the login recovery process.
These login recovery actions can be performed by any member:
You provide a legible, unredacted image of a currently valid government-issued photo ID matching the legal name on the membership. Examples include a driving license, passport, or state-issued ID card. All IDs are considered on a case-by-case basis, but a good rule of thumb for whether a particular photo ID will be acceptable is whether it shows your date of birth and whether you can go to prison for forging it. (Note: Most school-issued IDs do not meet our requirements.)
You provide a legible, unredacted image of a preprinted statement showing a transaction matching the date and amount of a recent deposit to an account on your membership and the (personal or business) name we have on file for the corresponding account. This usually means a bank or credit card statement. PayPal provides downloadable monthly statements that you can use, but you will typically also have to verify your address as described below. Email receipts and screenshots (e.g., from PayPal or us) are not acceptable.
You sign a letter (provided by us) in the presence of a notary. You send (via USPS/FedEx/UPS/DHL) the physical, signed, notarized original to our office address. The letter must be notarized by an active notary whose credentialing we can verify, e.g., through the American Society of Notaries or a state registry. Copies, scans and facsimiles are not acceptable.
These login recovery actions are situation-dependent:
If (and only if) you lose access to your email: We try and fail to contact you via the email address we currently have on file for your membership. (This one may take a long time.)
If (and only if) you lose your configured two-factor authentication device: We successfully contact you via the email address we currently have on file for your membership. (If you have also lost access to your email address, recover that first.)
These optional actions must be set up in advance to be used for recovery:
We send a message to the SMS number associated with your membership.
(Requires SMS to be configured in advance. Our ability to send SMS to some countries is limited by local regulations.)
You use your two-factor authentication.
(Requires two-factor authentication to be configured in advance and working, or a pre-generated single-use recovery code.)
You correctly answer your pre-set security question.
(Requires a security question and answer to be configured in advance.)
You use your SSH key.
(Requires your SSH public key to be loaded in advance on the Profile tab. Does not require you to have any active sites.)
If (and only if) you choose to provide both a photo ID and an account statement, then (at least) one must display the same official mailing address as that shown on the corresponding account. If neither does, you must additionally provide an additional document to verify the address. Examples include a utility bill, lease, or property tax bill matching the account address and the account surname or company name. The address may be current or contemporary with the deposit.
(If you provide either a photo ID or an account statement but not both, you can skip this requirement.)
The vast majority of "I lost all my information, please make an exception to your security practices and let me in" requests we receive come from people trying to gain illicit access to someone else's membership. NearlyFreeSpeech.NET takes the security and privacy of our members' services very seriously. Our members know that we are serious about protecting their privacy and security. That's at least part of the reason many people choose us. They expect us to live up to that in such situations so that when they emerge from it, they can be supremely confident that their membership can't be hijacked by the first person who comes along with a good story.
Attempts to convince us to make an exception to our standard practices typically represent an attempt by an unauthorized party to socially engineer illicit access to a membership or information about a member. This includes threats, attempts at negotiation, sob stories, and everything in between. To minimize the risk of social engineering, the login recovery process is specifically designed to be completed without human interaction. Nothing you send us during the login process will be responded to by a person.
Consequently, we regret that you are likely to find our support uncharacteristically unhelpful during the login recovery process. We apologize in advance for any frustration that results!
Send a message to support@nearlyfreespeech.netfrom a working email address that we can reply to stating one of the following:
"I would like to complete the Login Recovery Process because I do not have access to the email address associated with my membership."
"I would like to complete the Login Recovery Process because I do not have access to my two-factor device or saved recovery codes."
"I would like to complete the Login Recovery Process because NearlyFreeSpeech.NET determined that my membership and email address have been compromised."
Our system will send you further instructions. Be very careful that all further messages you send us during that login recovery attempt are replies to that message. It will be from a unique address specific to that login recovery attempt. (Something like "issue_123456@support.nearlyfreespeech.net.") Any additional messages you send to our support won't be associated with your attempt to complete the process and won't count toward completing it.
Note that only one login recovery attempt may be initiated per day, and no more than one login recovery attempt may be in process at a time. (Both limits are per membership and per email address.)
If an attempt to complete the login recovery process fails due to multiple errors or social engineering efforts, you will be notified that you must wait 24 hours before starting a new attempt.
When we analyze failures to complete the login recovery process, it is frequently because of a misunderstanding about one of the recovery actions.
The single most important thing you can do is read the description of each login recovery action you are using very carefully. They tend to be kind of wordy, and that's after we've gone through them several times trying to slim them down. There's no fluff; every word is there for a reason. If necessary, read the description of each recovery action out loud. This sounds silly, but is a great way to pick up on anything you might have missed.
Also, question your assumptions about the applicability and validity of any documents you're providing. Failing the login recovery process over and over is a really painful way to figure out (eventually) that your driving license expired last month.
One other less common source of error is mistaken beliefs about what information we have. For example, any of these can lead to difficulty with the login recovery process:
Misremembering what contact email address you gave us. (People who forward email from us through an intermediate address are particularly susceptible to this. Our automated email address recovery may be able to help.)
You gave us wrong (or fake) contact address information for your account.
You've moved, and you might have forgotten to update us with your new address.
You gave us your business address and are trying to verify your home address (or vice versa).
If all else fails, go over the whole process with a friend. Show them the login recovery actions. Have them read them out loud. Go over everything you're providing. Ask them, if they were a web hosting company paranoid about protecting customers' security, what you're doing that they wouldn't accept. If they insist nothing, that's a wonderfully supportive friend you should treasure, but you might need to ask someone... nit-pickier.
Finally, there are some specific things that can more actively undermine attempts to complete the login recovery process:
Do not attempt to use an optional recovery action that you did not set up beforehand.
Do not send any extra documentation that isn't listed as one of the login recovery actions.
Do not send documentation that does not meet the requirements.
Do not redact, crop or edit any documentation you send.
Do not ask for exceptions to the policy.
Do not attempt to negotiate or argue with the recovery process.
The documentation we request can be very sensitive, and we treat it with extreme caution and care.
Documentation is always reviewed by the absolute minimum number of people needed to validate it. That's generally one person unless that person encounters a specific, articulable difficult establishing whether it meets the requirements. (E.g., the document is not in English.) One is typical. Two is rare. Three is incredibly rare. As of 2025, no document has ever needed to be reviewed by more than three people.
As soon as a login recovery attempt is closed (successfully or otherwise), any documentation provided during that attempt is permanently removed from our ticket system.
