This article explains what happens when an AgroYield admin triggers a password reset for your account on your behalf — typically because you've reached out to support saying you can't get into your account.
When this flow runs
You'll see the callback-OTP flow when:
- You called or messaged support saying you can't sign in
- An admin needs to force you to set a new password because we suspect your account was compromised
- Your usual
/forgot-passwordemail isn't arriving (bounced, spam-filtered, wrong inbox on file)
You will not see this if you're triggering a password reset yourself through /forgot-password — that's a separate flow with its own one-step recovery link.
What happens, step by step
When the admin presses Send password reset on your account, the system:
- Generates a random 6-digit code (e.g.
482917) - Sends it to both your registered email AND your registered phone (SMS via our Termii integration)
- Returns to the admin: "Code sent — ask the user to read it back to you"
- Waits for the admin to enter the code you read them
When the admin enters the correct code:
- The actual password-reset email arrives in your inbox with a recovery link
- You click the link, set a new password, you're back in
If the admin enters the wrong code 3 times in a row, the challenge locks and they have to start over. The code itself expires after 10 minutes.
Why two steps?
Without the OTP step, anyone who calls support and convincingly pretends to be you could trigger a password reset on your account. The 6-digit code defends against this — the support agent can't proceed unless they're actually talking to someone who controls your email or phone. Banks use the same pattern when you call them.
What you should see
On your phone (SMS):
AgroYield: support verification code is 482917. Valid 10 min. Never share.
In your email:
Subject: AgroYield Network — support verification code
Hi [Your name],
Our support team needs to verify it's you before resetting your password. Read this 6-digit code back to the agent you're speaking with: 482917
If you didn't request a password reset and you receive this code out of nowhere, do not read it to anyone. Email support@agroyield.africa immediately — someone may be attempting to social-engineer access to your account.
What if I've lost access to both my phone AND my email?
Rare but real. If you've lost your phone, can't access your email, and need help getting back into your account:
- Reach out via any channel you can — a friend's phone, an alternate email, an in-person visit if you're near an AgroYield contact
- Be ready to verify your identity through a video call where you show ID — the support agent will arrange this
- Once your identity is confirmed, a super admin can bypass the OTP challenge and send the recovery link directly. Every bypass fires a Slack canary to our ops channel and is permanently audit-logged — so it stays an exceptional path, not a routine one
- Get back into your account, then immediately update your email + phone on file so the standard flow works next time
For admins: how to run the flow
Open Admin → Members → find the user → Send password reset:
- Confirm the prompt
- The OTP fires to the user's email + SMS. The on-screen confirmation shows obscured destinations (e.g.
email ok…ei@gmail.com + SMS +234801****5678) so you can verify you're resetting the right account - Ask the user to read back the 6-digit code
- Enter the code (up to 3 attempts allowed)
- Optionally choose to also force-sign-out their existing sessions (use for compromised-account flows)
- The recovery email fires; the user sees it in their inbox within seconds
If the user has lost access to both channels and you're a super admin, use Bypass OTP instead. You'll be required to type a written reason (≥10 chars) which is stored in the audit log + Slack canary.
Rate limits
- One challenge issuance per user per 5 minutes — prevents accidental double-fires
- 3 wrong code attempts before the challenge locks
- 10-minute challenge expiry