Most solo-founder security advice starts with stronger locks. Stronger locks matter, but they are not enough. If you are the only admin, you also need a recovery plan that works when your laptop, phone, inbox, password manager, or main device is unavailable.
This guide is about continuity: how to get back into the accounts that keep the business alive.
The short version
If you only do one pass today, identify the accounts that control everything else and confirm how each one can be recovered. For a solo founder, that usually means primary email, password manager, domain registrar, DNS, code hosting, cloud storage, and payment accounts.
The key is to separate security from recoverability. Stronger MFA is useful, but it should come after you have removed outdated recovery emails, saved backup codes, and stored password-manager recovery material somewhere other than the password manager itself. The recovery plan should be accessible even if your main laptop is not.
Who this is for
This is for solo founders, indie builders, and one-person companies where one person controls most admin access.
It is especially relevant when business email, domain, website, payments, deployments, and support all depend on accounts you personally administer. If you are the only super admin for email, code hosting, payments, hosting, or DNS, then a lost phone or locked password manager can become a business continuity problem rather than a minor inconvenience.
Larger teams need shared admin procedures. Solo founders first need a recovery plan that does not depend on memory and one device.
Map your control accounts
List the accounts that can reset, redirect, bill, deploy, or prove ownership of the business. In most solo-founder setups, this means primary business email, domain registrar, DNS provider, hosting or deployment provider, password manager, source-code hosting, payment processor, cloud storage, finance tools, and the phone or SIM provider if it receives recovery codes.
For each account, write down what it controls.
Here is what that mapping can look like:
| Account | What it controls |
|---|---|
| Primary email | Password resets, customer communication, SaaS recovery |
| Domain registrar | Domain ownership, nameservers, transfer lock |
| DNS provider | Email routing, website routing, verification records |
| Password manager | Passwords, some backup codes, secure notes |
| GitHub | Source code, deployments, client repositories |
| Payment processor | Revenue, payouts, tax documents |
This exercise usually reveals that primary email, password manager, domain registrar, and DNS are the real control plane.
Find single points of failure
Look for situations where one lost device or locked account blocks recovery. The classic solo-founder failure is one phone acting as the only MFA device, backup-code store, passkey device, and recovery contact point. Other common problems are password-manager recovery keys stored only on the laptop, registrar recovery email tied to the same domain it controls, payment or hosting accounts depending on an old phone number, DNS access held by a former agency, and invoices or contracts living in only one cloud account.
Fix the highest-consequence failures first. A perfect setup for ten minor tools does not matter if your domain or primary email is fragile.
Choose recovery methods before adding stricter MFA
Stronger MFA can reduce account takeover risk, but it can also make lockout more painful if recovery is weak.
Before tightening a critical account, save backup codes, add a second passkey, authenticator, or security key if supported, confirm that recovery email and phone details are current, and document the provider’s recovery process. Also check whether support can recover the account and what proof they require, because some providers rely heavily on recovery methods you configured before the incident.
For GitHub-style accounts, official recovery documentation often depends on recovery codes or previously configured recovery methods. That means the work must be done before something goes wrong.
For MFA rollout details, see How To Avoid Account Lockout When Using MFA.
Keep recovery information outside the blast radius
Recovery material should not all live in the same account it recovers. Reasonable patterns include a printed emergency sheet in a controlled physical location, an encrypted file stored separately from the password manager, a sealed recovery document with a trusted person, a second device enrolled for critical MFA, or a separate cloud account used only for emergency documentation.
The right setup depends on your threat model. A solo founder handling a local consulting business does not need the same ceremony as a crypto exchange founder. But the weak setup is usually the same: everything is in one laptop, one phone, one inbox, and one password manager.
For recovery-code storage tradeoffs, see Where To Store Backup Codes And Recovery Keys.
Write the recovery procedure as steps
Do not write vague notes like “recover email” or “check backups.” Write the sequence you would actually follow.
Example solo-founder recovery order:
- recover access to primary business email
- recover password manager
- confirm domain registrar and DNS access
- verify cloud storage and backups
- verify source-code hosting and deployment access
- confirm payment processor and bank access
- contact customers or clients through a backup channel if needed
The exact order can vary, but email, password manager, domain, and DNS usually come early because they support everything else.
Make an emergency account sheet
This does not need to contain passwords. It should answer which email address owns the account, which MFA methods are enrolled, where backup codes are stored, what account or email recovers it, whether a second admin exists, where the support path is, and what proof of identity or ownership might be needed.
For a domain registrar, a useful emergency row might say that the owner login is the business email, MFA uses an authenticator app plus backup codes, backup codes are in the printed recovery envelope, the recovery email is outside the same domain, transfer lock is enabled, and renewal is on auto-pay. That is enough information to act without exposing the password in the recovery document.
Decide what happens if you are unavailable
Solo founders often think about account recovery only as “what if I lose my phone?” There is another scenario: what if you are unavailable and someone else needs to keep the business reachable?
You may not need a full legal or operational continuity plan on day one, but you should still decide who knows the recovery plan exists, whether anyone else can access emergency instructions, how customers or clients would be contacted, how invoices, domains, and email would be handled, and whether a trusted person should know where sealed recovery material is stored.
This is not only about cybersecurity. It is business continuity. The more customers, revenue, or obligations you have, the more important this becomes.
Keep the plan usable under pressure
The recovery document should be boring and direct. Avoid clever folder names, long essays, or instructions that only make sense when you are calm.
Use plain headings such as “Recover email”, “Recover password manager”, “Check domain and DNS”, “Restore files”, and “Contact customers”. Each section should say where to go, what is needed, and what not to do. For example, the domain section might say not to disable transfer lock unless a domain transfer is intentional.
Review it after major account changes
Update the plan when you:
- change password managers
- move domain registrars
- change primary email providers
- enable new MFA methods
- replace your phone
- add a cofounder or contractor
- change hosting, DNS, or cloud storage
- create a new payment or billing account
A recovery plan is only useful if it reflects the current account setup.
Common mistakes
The most dangerous mistake is circular recovery. If the company domain email is the only recovery email for the domain registrar, a DNS or email problem can make the registrar harder to recover. The same pattern appears when backup codes for the password manager are stored only inside the password manager.
Solo founders also overestimate SaaS support. Some providers can help, some cannot, and many recovery flows depend on backup codes or previously configured recovery methods. Treat support as a fallback, not the plan.
Finally, avoid replacing a phone before checking authenticator and passkey migration. Device changes are one of the easiest times to create a lockout.
Good next step
Make the account map first. Then fix the top three recovery risks: primary email, password manager, and domain registrar.
Related guides:
- Freelancer Account Security Checklist
- Where To Store Backup Codes And Recovery Keys
- Domain Registrar Security Checklist