diff --git a/certoperations.js b/certoperations.js
index 0379336a..e23f2005 100644
--- a/certoperations.js
+++ b/certoperations.js
@@ -112,7 +112,9 @@ module.exports.CertificateOperations = function (parent) {
 
     // Create a self-signed certificate
     obj.GenerateRootCertificate = function (addThumbPrintToName, commonName, country, organization, strong) {
-        var keys = obj.pki.rsa.generateKeyPair((strong == true) ? 3072 : 2048);
+        // TODO: Use Async key generation to use web workers and go a lot faster.
+        // rsa.generateKeyPair({ bits: 3072, e: 0x10001, workers: -1 }, function (err, keypair) { /*keypair.privateKey, keypair.publicKey*/ });
+        var keys = obj.pki.rsa.generateKeyPair({ bits: (strong == true) ? 3072 : 2048, e: 0x10001 });
         var cert = obj.pki.createCertificate();
         cert.publicKey = keys.publicKey;
         cert.serialNumber = String(Math.floor((Math.random() * 100000) + 1));
@@ -136,7 +138,7 @@ module.exports.CertificateOperations = function (parent) {
 
     // Issue a certificate from a root
     obj.IssueWebServerCertificate = function (rootcert, addThumbPrintToName, commonName, country, organization, extKeyUsage, strong) {
-        var keys = obj.pki.rsa.generateKeyPair((strong == true) ? 3072 : 2048);
+        var keys = obj.pki.rsa.generateKeyPair({ bits: (strong == true) ? 3072 : 2048, e: 0x10001 });
         var cert = obj.pki.createCertificate();
         cert.publicKey = keys.publicKey;
         cert.serialNumber = String(Math.floor((Math.random() * 100000) + 1));
diff --git a/db.js b/db.js
index 6f476a0e..a8cfe293 100644
--- a/db.js
+++ b/db.js
@@ -175,7 +175,7 @@ module.exports.CreateDB = function (parent) {
     obj.getPowerTimeline = function (nodeid, func) { if (obj.databaseType == 1) { obj.file.find({ type: 'power', node: { $in: ['*', nodeid] } }).sort({ time: 1 }).exec(func); } else { obj.file.find({ type: 'power', node: { $in: ['*', nodeid] } }).sort({ time: 1 }, func); } };
     obj.getLocalAmtNodes = function (func) { obj.file.find({ type: 'node', host: { $exists: true, $ne: null }, intelamt: { $exists: true } }, func); };
     obj.getAmtUuidNode = function (meshid, uuid, func) { obj.file.find({ type: 'node', meshid: meshid, 'intelamt.uuid': uuid }, func); };
-    obj.isMaxType = function (max, type, func) { if (max == null) { func(false); } else { obj.file.count({ type: type }, function (err, count) { func((err != null) || (count > max)); }); } }
+    obj.isMaxType = function (max, type, domainid, func) { if (max == null) { func(false); } else { obj.file.count({ type: type, domain: domainid }, function (err, count) { func((err != null) || (count > max)); }); } }
 
     // Read a configuration file from the database
     obj.getConfigFile = function (path, func) { obj.Get('cfile/' + path, func); }
diff --git a/meshagent.js b/meshagent.js
index 6fe73f05..1f178464 100644
--- a/meshagent.js
+++ b/meshagent.js
@@ -368,6 +368,16 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
         if ((obj.authenticated != 1) || (obj.meshid == null) || obj.pendingCompleteAgentConnection) return;
         obj.pendingCompleteAgentConnection = true;
 
+        // Check if we have too many agent sessions
+        if (typeof domain.limits.maxagentsessions == 'number') {
+            // Count the number of agent sessions for this domain
+            var domainAgentSessionCount = 0;
+            for (var i in obj.parent.wsagents) { if (obj.parent.wsagents[i].domain.id == domain.id) { domainAgentSessionCount++; } }
+
+            // Check if we have too many user sessions
+            if (domainAgentSessionCount >= domain.limits.maxagentsessions) { return; } // Too many, hold the connection.
+        }
+
         // Check that the mesh exists
         var mesh = obj.parent.meshes[obj.dbMeshKey];
         if (mesh == null) { console.log('Agent connected with invalid domain/mesh, holding connection (' + obj.remoteaddrport + ', ' + obj.dbMeshKey + ').'); return; } // If we disconnect, the agnet will just reconnect. We need to log this or tell agent to connect in a few hours.
diff --git a/meshcentral.js b/meshcentral.js
index d063cef6..8681be2d 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -437,6 +437,7 @@ function CreateMeshCentralServer(config, args) {
         var bannedDomains = ['public', 'private', 'images', 'scripts', 'styles', 'views']; // List of banned domains
         for (i in obj.config.domains) { for (var j in bannedDomains) { if (i == bannedDomains[j]) { console.log("ERROR: Domain '" + i + "' is not allowed domain name in ./data/config.json."); return; } } }
         for (i in obj.config.domains) {
+            if (obj.config.domains[i].limits == null) { obj.config.domains[i].limits = {}; }
             if (obj.config.domains[i].dns == null) { obj.config.domains[i].url = (i == '') ? '/' : ('/' + i + '/'); } else { obj.config.domains[i].url = '/'; }
             obj.config.domains[i].id = i;
             if (typeof obj.config.domains[i].userallowedip == 'string') { if (obj.config.domains[i].userallowedip == '') { obj.config.domains[i].userallowedip = null; } else { obj.config.domains[i].userallowedip = obj.config.domains[i].userallowedip.split(','); } }
diff --git a/meshuser.js b/meshuser.js
index 51f40f98..bb9121fd 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -127,6 +127,20 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
         // Check if the user is logged in
         if (user == null) { try { obj.ws.close(); } catch (e) { } return; }
 
+        // Check if we have exceeded the user session limit
+        if (typeof domain.limits.maxusersessions == 'number') {
+            // Count the number of user sessions for this domain
+            var domainUserSessionCount = 0;
+            for (var i in obj.parent.wssessions2) { if (obj.parent.wssessions2[i].domainid == domain.id) { domainUserSessionCount++; } }
+
+            // Check if we have too many user sessions
+            if (domainUserSessionCount >= domain.limits.maxusersessions) {
+                ws.send(JSON.stringify({ action: 'stopped', msg: 'Session count exceed' }));
+                try { obj.ws.close(); } catch (e) { }
+                return;
+            }
+        }
+
         // Associate this websocket session with the web session
         obj.ws.userid = req.session.userid;
         obj.ws.domainid = domain.id;
@@ -643,7 +657,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                     if (obj.parent.users[newuserid]) break; // Account already exists
 
                     // Check if we exceed the maximum number of user accounts
-                    obj.db.isMaxType(domain.maxaccounts, 'user', function (maxExceed) {
+                    obj.db.isMaxType(domain.limits.maxuseraccounts, 'user', domain.id, function (maxExceed) {
                         if (maxExceed) {
                             // Account count exceed, do notification
 
diff --git a/package.json b/package.json
index 48b33ab3..1f1e4243 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.2.7-u",
+  "version": "0.2.7-v",
   "keywords": [
     "Remote Management",
     "Intel AMT",
diff --git a/sample-config.json b/sample-config.json
index a76ba3b4..8f6ec74d 100644
--- a/sample-config.json
+++ b/sample-config.json
@@ -41,6 +41,11 @@
       "_UserBlockedIP": "127.0.0.1,::1,192.168.0.100",
       "_AgentAllowedIP": "192.168.0.100/24",
       "_AgentBlockedIP": "127.0.0.1,::1",
+      "_Limits": {
+        "MaxUserAccounts": 100,
+        "MaxUserSessions": 100,
+        "MaxAgentSessions": 100
+      },
       "_yubikey": { "id": "0000", "secret": "xxxxxxxxxxxxxxxxxxxxx", "_proxy": "http://myproxy.domain.com:80" },
     },
     "customer1": {
diff --git a/views/default.handlebars b/views/default.handlebars
index 6705a5a1..760db9b2 100644
--- a/views/default.handlebars
+++ b/views/default.handlebars
@@ -855,6 +855,7 @@
     <script type="text/javascript">
         'use strict';
         var args;
+        var autoReconnect = true;
         var powerStatetable = ['', 'Powered', 'Sleep', 'Sleep', 'Sleep', 'Hibernating', 'Power off', 'Present'];
         var StatusStrs = ['Disconnected', 'Connecting...', 'Setup...', 'Connected', 'Intel&reg; AMT Connected'];
         var sort = 0;
@@ -1076,7 +1077,7 @@
                 QV('verifyEmailId2', false);
                 QV('logoutControl', false);
                 if (errorCode == 'noauth') { QH('p0span', 'Unable to perform authentication'); return; }
-                if (prevState == 2) { setTimeout(serverPoll, 5000); } else { QH('p0span', 'Unable to connect web socket'); }
+                if (prevState == 2) { if (autoReconnect) { setTimeout(serverPoll, 5000); } } else { QH('p0span', 'Unable to connect web socket'); }
                 if (authCookieRenewTimer != null) { clearInterval(authCookieRenewTimer); authCookieRenewTimer = null; }
             } else if (state == 2) {
                 // Fetch list of meshes, nodes, files
@@ -1751,7 +1752,8 @@
                             break;
                         }
                         case 'stopped': { // Server is stopping.
-                            // TODO: Disconnect
+                            // Disconnect
+                            console.log(message.msg);
                             break;
                         }
                         default:
@@ -1760,6 +1762,12 @@
                     }
                     break;
                 }
+                case 'stopped': { // Server is stopping.
+                    // Disconnect
+                    autoReconnect = false;
+                    QH('p0span', message.msg);
+                    break;
+                }
                 default:
                     console.log('Unknown message.action', message.action);
                     break;
@@ -6379,7 +6387,7 @@
             x += addDeviceAttribute('Creation', new Date(user.creation * 1000).toLocaleString());
             if (user.login) x += addDeviceAttribute('Last Login', new Date(user.login * 1000).toLocaleString());
             var multiFactor = 0;
-            if ((user.otpsecret > 0) || (user.otphkeys > 0) || (user.otpkeys > 0)) {
+            if ((user.otpsecret > 0) || (user.otphkeys > 0)) {
                 multiFactor = 1;
                 var factors = [];
                 if (user.otpsecret > 0) { factors.push('Authentication App'); }
diff --git a/views/login-mobile.handlebars b/views/login-mobile.handlebars
index 47b7df68..a5074d14 100644
--- a/views/login-mobile.handlebars
+++ b/views/login-mobile.handlebars
@@ -150,7 +150,7 @@
                                         <tr>
                                             <td align=right width=100>Login token:</td>
                                             <td>
-                                                <input id=tokenInput type=text name=token maxlength=50 onkeyup=checkToken(event) onkeydown=checkToken(event) />
+                                                <input id=tokenInput type=text name=token maxlength=50 onchange=checkToken(event) onkeyup=checkToken(event) onkeydown=checkToken(event) />
                                                 <input id=hwtokenInput type=text name=hwtoken style="display:none" />
                                             </td>
                                         </tr>
@@ -163,6 +163,31 @@
                                     <hr /><a onclick=xgo(1) style=cursor:pointer>Back to login</a>
                                 </form>
                             </div>
+
+                            <div id=resettokenpanel style="background-color:#979797;border-radius:16px;width:260px;padding:16px;text-align:center;display:none;clear:both">
+                                <form action=resetaccount method=post autocomplete=off>
+                                    <div id=message5>
+                                        {{{message}}}
+                                    </div>
+                                    <table>
+                                        <tr>
+                                            <td align=right width=100>Login token:</td>
+                                            <td>
+                                                <input id=resetTokenInput type=text name=token maxlength=50 onchange=resetCheckToken(event) onkeyup=resetCheckToken(event) onkeydown=resetCheckToken(event) />
+                                                <input id=resetHwtokenInput type=text name=hwtoken style="display:none" />
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td colspan=2>
+                                                <div style=float:right><input id=resetTokenOkButton type=submit value="Login" disabled="disabled" /></div>
+                                            </td>
+                                        </tr>
+                                    </table>
+                                    <hr /><a onclick=xgo(1) style=cursor:pointer>Back to login</a>
+                                </form>
+                            </div>
+
+
                         </td>
                     </tr>
                 </table>
@@ -237,6 +262,19 @@
                     }, hardwareKeyChallenge.timeoutSeconds);
                 }
             }
+
+            if ('{{loginmode}}' == '5') {
+                try { if (hardwareKeyChallenge.length > 0) { hardwareKeyChallenge = JSON.parse(hardwareKeyChallenge); } else { hardwareKeyChallenge = null; } } catch (ex) { hardwareKeyChallenge = null }
+                if ((hardwareKeyChallenge != null) && u2fSupported()) {
+                    window.u2f.sign(hardwareKeyChallenge.appId, hardwareKeyChallenge.challenge, hardwareKeyChallenge.registeredKeys, function (authResponse) {
+                        if (authResponse.signatureData) {
+                            Q('resetHwtokenInput').value = JSON.stringify(authResponse);
+                            QE('resetTokenOkButton', true);
+                            Q('resetTokenOkButton').click();
+                        }
+                    }, hardwareKeyChallenge.timeoutSeconds);
+                }
+            }
         }
 
         function showPassHint() {
@@ -246,6 +284,9 @@
         function xgo(x) {
             QV('message1', false);
             QV('message2', false);
+            QV('message3', false);
+            QV('message4', false);
+            QV('message5', false);
             go(x);
         }
 
@@ -256,6 +297,7 @@
             QV('createpanel', x == 2);
             QV('resetpanel', x == 3);
             QV('tokenpanel', x == 4);
+            QV('resettokenpanel', x == 5);
             if (x == 1) { Q('username').focus(); }
             if (x == 2) { Q('ausername').focus(); }
             if (x == 3) { Q('remail').focus(); }
@@ -353,6 +395,13 @@
             QE('tokenOkButton', (Q('tokenInput').value.length == 6) || (Q('tokenInput').value.length == 8) || (Q('tokenInput').value.length == 44));
         }
 
+        function resetCheckToken() {
+            var t1 = Q('resetTokenInput').value;
+            var t2 = t1.split(' ').join('');
+            if (t1 != t2) { Q('resetTokenInput').value = t2; }
+            QE('resetTokenOkButton', (Q('resetTokenInput').value.length == 6) || (Q('resetTokenInput').value.length == 8) || (Q('resetTokenInput').value.length == 44));
+        }
+
         //
         // POPUP DIALOG
         //
diff --git a/views/login.handlebars b/views/login.handlebars
index 4d3acd44..c7ea1213 100644
--- a/views/login.handlebars
+++ b/views/login.handlebars
@@ -223,7 +223,7 @@
                                         <tr>
                                             <td align=right width=100>Login token:</td>
                                             <td>
-                                                <input id=tokenInput type=text name=token maxlength=50 onkeyup=checkToken(event) onkeydown=checkToken(event) />
+                                                <input id=tokenInput type=text name=token maxlength=50 onchange=checkToken(event) onkeyup=checkToken(event) onkeydown=checkToken(event) />
                                                 <input id=hwtokenInput type=text name=hwtoken style="display:none" />
                                             </td>
                                         </tr>
@@ -236,6 +236,28 @@
                                     <hr /><a onclick=xgo(1) style=cursor:pointer>Back to login</a>
                                 </form>
                             </div>
+                            <div id=resettokenpanel style="background-color: #979797;border-radius:16px;width:300px;padding:16px;text-align:center;display:none">
+                                <form action=resetaccount method=post>
+                                    <div id=message5>
+                                        {{{message}}}
+                                    </div>
+                                    <table>
+                                        <tr>
+                                            <td align=right width=100>Login token:</td>
+                                            <td>
+                                                <input id=resetTokenInput type=text name=token maxlength=50 onchange=resetCheckToken(event) onkeyup=resetCheckToken(event) onkeydown=resetCheckToken(event) />
+                                                <input id=resetHwtokenInput type=text name=hwtoken style="display:none" />
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td colspan=2>
+                                                <div style=float:right><input id=resetTokenOkButton type=submit value="Login" disabled="disabled" /></div>
+                                            </td>
+                                        </tr>
+                                    </table>
+                                    <hr /><a onclick=xgo(1) style=cursor:pointer>Back to login</a>
+                                </form>
+                            </div>
                         </td>
                     </tr>
                 </table>
@@ -320,6 +342,19 @@
                     }, hardwareKeyChallenge.timeoutSeconds);
                 }
             }
+
+            if ('{{loginmode}}' == '5') {
+                try { if (hardwareKeyChallenge.length > 0) { hardwareKeyChallenge = JSON.parse(hardwareKeyChallenge); } else { hardwareKeyChallenge = null; } } catch (ex) { hardwareKeyChallenge = null }
+                if ((hardwareKeyChallenge != null) && u2fSupported()) {
+                    window.u2f.sign(hardwareKeyChallenge.appId, hardwareKeyChallenge.challenge, hardwareKeyChallenge.registeredKeys, function (authResponse) {
+                        if (authResponse.signatureData) {
+                            Q('resetHwtokenInput').value = JSON.stringify(authResponse);
+                            QE('resetTokenOkButton', true);
+                            Q('resetTokenOkButton').click();
+                        }
+                    }, hardwareKeyChallenge.timeoutSeconds);
+                }
+            }
         }
 
         function showPassHint() {
@@ -329,6 +364,9 @@
         function xgo(x) {
             QV('message1', false);
             QV('message2', false);
+            QV('message3', false);
+            QV('message4', false);
+            QV('message5', false);
             go(x);
         }
 
@@ -339,6 +377,7 @@
             QV('createpanel', x == 2);
             QV('resetpanel', x == 3);
             QV('tokenpanel', x == 4);
+            QV('resettokenpanel', x == 5);
             if (x == 1) { Q('username').focus(); }
             if (x == 2) { Q('ausername').focus(); }
             if (x == 3) { Q('remail').focus(); }
@@ -448,6 +487,13 @@
             QE('tokenOkButton', (Q('tokenInput').value.length == 6) || (Q('tokenInput').value.length == 8) || (Q('tokenInput').value.length == 44));
         }
 
+        function resetCheckToken() {
+            var t1 = Q('resetTokenInput').value;
+            var t2 = t1.split(' ').join('');
+            if (t1 != t2) { Q('resetTokenInput').value = t2; }
+            QE('resetTokenOkButton', (Q('resetTokenInput').value.length == 6) || (Q('resetTokenInput').value.length == 8) || (Q('resetTokenInput').value.length == 44));
+        }
+
         //
         // POPUP DIALOG
         //
diff --git a/webserver.js b/webserver.js
index de3ac682..256f24a5 100644
--- a/webserver.js
+++ b/webserver.js
@@ -320,7 +320,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
 
     // Return true if this user has 2-step auth active
     function checkUserOneTimePasswordRequired(domain, user) {
-        return (user.otpsecret) || (user.otphkeys && (user.otphkeys.length > 0));
+        return ((user.otpsecret != null) || ((user.otphkeys != null) && (user.otphkeys.length > 0)));
     }
 
     // Check the 2-step auth token
@@ -377,7 +377,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
     }
 
     // Return a U2F hardware key challenge
-    // TODO: Figure out how to support many U2F keys at the same time.
     function getHardwareKeyChallenge(req, domain, user, func) {
         if (req.session.u2fchallenge) { delete req.session.u2fchallenge; };
         if (user.otphkeys && (user.otphkeys.length > 0)) {
@@ -419,7 +418,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                 var user = obj.users[userid];
 
                 // Check if this user has 2-step login active
-                if (checkUserOneTimePasswordRequired(req.domain, user)) {
+                if (checkUserOneTimePasswordRequired(domain, user)) {
                     checkUserOneTimePassword(req, domain, user, req.body.token, req.body.hwtoken, function (result) {
                         if (result == false) {
                             // 2-step auth is required, but the token is not present or not valid.
@@ -427,7 +426,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                             req.session.loginmode = '4';
                             req.session.tokenusername = xusername;
                             req.session.tokenpassword = xpassword;
-                            req.session.tokenRetry = true;
                             res.redirect(domain.url);
                         } else {
                             // Login succesful
@@ -465,6 +463,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         delete req.session.loginmode;
         delete req.session.tokenusername;
         delete req.session.tokenpassword;
+        delete req.session.tokenemail;
         delete req.session.success;
         delete req.session.error;
         delete req.session.passhint;
@@ -503,7 +502,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         if ((domain.newaccounts === 0) || (domain.newaccounts === false)) { res.sendStatus(401); return; }
 
         // Check if we exceed the maximum number of user accounts
-        obj.db.isMaxType(domain.maxaccounts, 'user', function (maxExceed) {
+        obj.db.isMaxType(domain.limits.maxuseraccounts, 'user', domain.id, function (maxExceed) {
             if (maxExceed) {
                 req.session.loginmode = 2;
                 req.session.error = '<b style=color:#8C001A>Account limit reached.</b>';
@@ -569,28 +568,58 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         const domain = checkUserIpAddress(req, res);
         if ((domain == null) || (domain.auth == 'sspi')) return;
 
+        var email = req.body.email;
+        if ((email == null) || (email == '')) { email = req.session.tokenemail; }
+
         if ((domain.newaccounts === 0) || (domain.newaccounts === false)) { res.sendStatus(401); return; }
-        if (!req.body.email || checkEmail(req.body.email) == false) {
+        if (!email || checkEmail(email) == false) {
             req.session.loginmode = 3;
             req.session.error = '<b style=color:#8C001A>Invalid email.</b>';
             res.redirect(domain.url);
         } else {
-            obj.db.GetUserWithVerifiedEmail(domain.id, req.body.email, function (err, docs) {
-                if (docs.length == 0) {
+            obj.db.GetUserWithVerifiedEmail(domain.id, email, function (err, docs) {
+                if ((err != null) || (docs.length == 0)) {
                     req.session.loginmode = 3;
                     req.session.error = '<b style=color:#8C001A>Account not found.</b>';
                     res.redirect(domain.url);
                 } else {
-                    var userFound = docs[0];
-                    if (obj.parent.mailserver != null) {
-                        obj.parent.mailserver.sendAccountResetMail(domain, userFound.name, userFound.email);
-                        req.session.loginmode = 1;
-                        req.session.error = '<b style=color:darkgreen>Hold on, reset mail sent.</b>';
-                        res.redirect(domain.url);
+                    var user = docs[0];
+                    if (checkUserOneTimePasswordRequired(domain, user) == true) {
+                        // Second factor setup, request it now.
+                        checkUserOneTimePassword(req, domain, user, req.body.token, req.body.hwtoken, function (result) {
+                            if (result == false) {
+                                // 2-step auth is required, but the token is not present or not valid.
+                                if ((req.body.token != null) || (req.body.hwtoken != null)) { req.session.error = '<b style=color:#8C001A>Invalid token, try again.</b>'; }
+                                req.session.loginmode = '5';
+                                req.session.tokenemail = email;
+                                res.redirect(domain.url);
+                            } else {
+                                // Send email to perform recovery.
+                                delete req.session.tokenemail;
+                                if (obj.parent.mailserver != null) {
+                                    obj.parent.mailserver.sendAccountResetMail(domain, user.name, user.email);
+                                    req.session.loginmode = 1;
+                                    req.session.error = '<b style=color:darkgreen>Hold on, reset mail sent.</b>';
+                                    res.redirect(domain.url);
+                                } else {
+                                    req.session.loginmode = 3;
+                                    req.session.error = '<b style=color:#8C001A>Unable to sent email.</b>';
+                                    res.redirect(domain.url);
+                                }
+                            }
+                        });
                     } else {
-                        req.session.loginmode = 3;
-                        req.session.error = '<b style=color:#8C001A>Unable to sent email.</b>';
-                        res.redirect(domain.url);
+                        // No second factor, send email to perform recovery.
+                        if (obj.parent.mailserver != null) {
+                            obj.parent.mailserver.sendAccountResetMail(domain, user.name, user.email);
+                            req.session.loginmode = 1;
+                            req.session.error = '<b style=color:darkgreen>Hold on, reset mail sent.</b>';
+                            res.redirect(domain.url);
+                        } else {
+                            req.session.loginmode = 3;
+                            req.session.error = '<b style=color:#8C001A>Unable to sent email.</b>';
+                            res.redirect(domain.url);
+                        }
                     }
                 }
             });
@@ -632,7 +661,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                                                 obj.db.SetUser(user);
 
                                                 // Event the change
-                                                obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { etype: 'user', username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Verified email of user ' + EscapeHtml(user.name) + ' (' + EscapeHtml(userinfo.email) + ')', domain: domain.id });
+                                                obj.parent.DispatchEvent(['*', 'server-users', user._id], obj, { etype: 'user', username: user.name, account: obj.CloneSafeUser(user), action: 'accountchange', msg: 'Verified email of user ' + EscapeHtml(user.name) + ' (' + EscapeHtml(user.email) + ')', domain: domain.id });
 
                                                 // Send the confirmation page
                                                 res.render(obj.path.join(obj.parent.webViewsPath, 'message'), { title: domain.title, title2: domain.title2, title3: 'Account Verification', message: 'Verified email <b>' + EscapeHtml(user.email) + '</b> for user account <b>' + EscapeHtml(user.name) + '</b>. <a href="' + domain.url + '">Go to login page</a>.' });
@@ -660,7 +689,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                                                 userinfo.hash = hash;
                                                 userinfo.passchange = Math.floor(Date.now() / 1000);
                                                 userinfo.passhint = null;
-                                                delete userinfo.otpsecret; // Currently a email password reset will turn off 2-step login.
+                                                //delete userinfo.otpsecret; // Currently a email password reset will turn off 2-step login.
                                                 obj.db.SetUser(userinfo);
 
                                                 // Event the change
@@ -920,6 +949,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         } else {
             // Send back the login application
             // If this is a 2 factor auth request, look for a hardware key challenge.
+            // Normal login 2 factor request
             if ((req.session.loginmode == '4') && (req.session.tokenusername)) {
                 var user = obj.users['user/' + domain.id + '/' + req.session.tokenusername];
                 if (user != null) {
@@ -927,6 +957,24 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                     return;
                 }
             }
+            // Password recovery 2 factor request
+            if ((req.session.loginmode == '5') && (req.session.tokenemail)) {
+                obj.db.GetUserWithVerifiedEmail(domain.id, req.session.tokenemail, function (err, docs) {
+                    if ((err != null) || (docs.length == 0)) {
+                        req.session = null;
+                        res.redirect(domain.url);
+                    } else {
+                        var user = obj.users[docs[0]._id];
+                        if (user != null) {
+                            getHardwareKeyChallenge(req, domain, user, function (u2fChallenge) { handleRootRequestLogin(req, res, domain, u2fChallenge, passRequirements); });
+                        } else {
+                            req.session = null;
+                            res.redirect(domain.url);
+                        }
+                    }
+                });
+                return;
+            }
             handleRootRequestLogin(req, res, domain, '', passRequirements);
         }
     }