55 Air-gapped recovery identity
A recovery identity, and the materials it needs, kept wholly outside the tenant and offline — so a total domain compromise still leaves a way back in. It is the assumption of failure made concrete: every other recovery path in this catalog runs through something the attacker now controls.
Documentation: Security best practices for administrator accounts ↗ · Recovering administrator access to your account ↗
Caveats
This is a process control — it is carried out offline, so there is no Admin Console walkthrough to show.
Ongoing maintenance
- requires a human Semi-annually: refresh contents that age (codes, printed docs, contact lists) and re-seal.
How to verify
Open the kit under custody rules and inventory it against the manifest: recovery identity credentials, DNS registrar access, printed runbooks — then re-seal with fresh serials.
v0.0.2Recover policy #11 · #13, #16 (gap G4) ↗