Account recovery: when you can no longer access your Compassly email

Please read this page carefully. We've written it to answer every common question about email changes and account recovery, and any new queries will be added to this page over time. If you contact us with a question that is already answered here, we may simply reply with a link to this page so that support stays quick for everyone. If you've read it and your situation still isn't covered, do get in touch and we'll gladly help.

Your Compassly account is registered to an email address, which is also your username. If you can no longer access that mailbox, perhaps because you've changed jobs, your organisation has moved email systems, or the address was mistyped when the account was set up, you won't be able to log in or reset your password.

This page explains how to get back into your account. It also explains why we follow a careful verification process rather than simply changing the address when someone asks us to.

The short version:

  1. If you can still log in (or still have access to your old mailbox), update your email address yourself in Compassly today. It only takes a couple of minutes.
  2. If you're locked out, fill in our account recovery request form and we'll recover your account. We need to verify your identity first, for example using the phone number registered on your account or through your organisation, so please allow time for this.
  3. Please don't try to register a new account. The system will recognise your phone number and stop you, because everyone should only have one account (there's more on this below).

Your records are safe

Losing access to an email address never deletes anything. Your competency passport, with every sign-off and assessment in it, is held securely against your account. When you move organisations, your records can move with you. We just need to reconnect you to your account safely.

If you can still log in: update your email now

This is the quickest option by far. If you know you're about to lose access to your email, whether because you're leaving a job or because your organisation is changing everyone's email addresses, please update your address before the old mailbox is switched off:

  1. Log in to Compassly and go to your main profile page (outside any organisation), then Settings, Account, and "Email & phone number".
  2. Add your new email address and click the verification link we send to it.
  3. Once the new address is verified, open its details and select "Make primary". Your primary email is the one you log in with, and where password resets are sent.

Your account can hold more than one email address, which helps if an organisation needs you to join using a particular kind of email address (for example, one ending @nhs.net). The full walkthrough, including how to change the details you use within a specific organisation, is in our guide to changing your contact details.

One thing that can catch people out afterwards: if your device has a saved login that only asks for your password, it will still be holding your old (now incorrect) email. Select "Change user" on the login screen, then "Remove" when prompted, and sign in again by typing your new email address in full.

If you're moving jobs, please try to do this before you lose access to your old email account. It will save you a lot of time later, and your passport will simply carry on working.

If you're locked out: how account recovery works

Step 1: Fill in the recovery request form

Complete our account recovery request form. It asks for the key details we need to find your account and verify that it's yours: things like your name, the organisations you've used Compassly with, the phone number you registered, and the new email address you'd like to use. Required fields are marked on the form, and the more detail you can give, the quicker the process tends to be.

Step 2: We verify it's really you

We'll confirm your identity through one of these routes, in order of preference:

  1. Confirmation from your previous organisation. A manager, Super Manager or education lead at the organisation linked to your old email confirms that you have left and where you have moved to, which we check against the new details you've given us.
  2. Another verified email address on your account. If you added a second email address while you could still log in, and clicked the verification link at the time, we can recover your account through it. We'll send a fresh confirmation link to that address to check it is still yours, rather than relying on an email sent from it, because sender addresses can be forged.
  3. Your registered phone number. If the phone number on your account is still current, we can use it to confirm the account is yours. We will contact you with further details on the process. This is often the quickest route.
  4. Vouching from your current organisation. A Compassly Manager or Super Manager at the organisation you now work in confirms your identity by emailing us from their registered and verified email address.
  5. Documentary check (fallback). If none of the above are possible, for example because you registered with a personal email and have since changed your phone number, we'll ask for photo ID and your professional registration number (NMC, GMC, HCPC etc.), which we cross-check against the account's details.

We will not verify identity by quiz-style questions about your date of birth, ward or job title. That information is too easy for someone else to find out, and security standards now advise against it.

Step 3: We make the change

Once verified:

  • We update the account to your new address and send a verification link to the new email, which you must click before the new address starts working.
  • Where the old mailbox still exists, we notify it of the change and allow time for a response, so that the account's original owner always has the chance to challenge a change they didn't ask for.
  • Recovery can therefore take 5 to 10 working days. We know that can feel slow, but giving the original email account a proper chance to reply is an important part of keeping this safe.

Step 4: Logging back in

  • Remove any saved logins on your devices first, as they'll still hold the old email ("Change user" on the login screen, then "Remove" when prompted). Type your new address in full.
  • If we reset your MFA as part of recovery, delete the old Compassly entry from your authenticator app before re-enrolling. The old entry will look valid but no longer works.

Common situations

I've moved to a new organisation and my old work email is gone

Follow the recovery steps above. Route 1 (your old organisation confirming) is usually fastest. Your passport moves with you.

My organisation changed email addresses (e.g. @yourtrust.nhs.uk to @nhs.net)

If the old mailbox still works, use self-service now. If not, use the recovery request form. Your organisation's Compassly lead can often confirm the whole cohort in one go.

My email was mistyped when the account was created and I never received anything

Use the recovery request form. If the address was never verified and never used, this is usually the simplest fix. We'll confirm your registration details and verify the corrected address.

I used a personal email I can no longer access

Follow the recovery steps. Expect route 2, 3, 4 or 5 (another verified email on your account, registered phone number, current-organisation vouching, or ID check), since there's no old organisation to ask.

I can't remember which email I used

Fill in the recovery request form with as much as you can remember; the phone number you registered with is usually enough for us to locate the account. For privacy we won't read the address back to you in full, but we can recover the account as above.

My old email address was deleted and reissued (e.g. an nhs.net address after a career break, coming back as name.surname1@nhs.net)

This is a lost-email case, so follow the recovery steps. Mention what happened; it helps us match the account.

I changed my name (e.g. after marriage) and have a new email

If your old mailbox still works, use self-service. If not, follow the recovery steps and tell us both names.

I asked for a password reset and got an email about a "secondary" address

Nothing has gone wrong. See "Password resets and secondary email addresses" below.

I have a new phone and MFA no longer works

Contact us through the contact page and ask for an MFA reset. After we reset it, delete the old Compassly entry in your authenticator app and re-enrol.

Password reset emails aren't arriving

Check junk/spam and that you're entering the exact address on the account. If still nothing, contact us and we can check our logs to see whether resets are being issued and where they're going. Repeated failed logins trigger a temporary lockout (an NHS security requirement), so a short wait is sometimes all that's needed.

Password resets and secondary email addresses

If you asked to reset your password and received an email telling you that you used a secondary address rather than a reset link, that email is correct and nothing has gone wrong. It is one of the most common things people contact us about, and the answer is always the same.

Your account can hold several email addresses, but only your primary email works for logging in and resetting your password. Secondary addresses are used for joining organisations; they can't be used to log in. When you request a reset using a secondary address, Compassly recognises the address and sends you that email to point you in the right direction, rather than leaving you waiting for a reset link that will never come.

What to do:

  1. Request the reset again using your primary email address. For most people this is the address they originally registered with.
  2. If you're not sure which of your addresses is the primary one, try each in turn, or check under Settings, Account, "Email & phone number" if you can still log in on another device.
  3. If your primary email is an address you can no longer access, follow the account recovery steps above.

A related point: although a secondary address can't reset your password, a verified secondary address is one of the ways we can recover your account if you lose the primary one (route 2 in the verification list above). If you haven't added a second email address to your account, it's worth doing while you can still log in.

Why can't I just create a new account?

If you try, Compassly will tell you that your phone number is already registered. We limit everyone to one account so that your competency record stays together as a single history, and so that nobody else can set up a duplicate account in your name. So rather than starting again, the answer is to recover your existing account.

If you genuinely want a clean start, we can permanently delete your old account on request. Your records go with it, though, and they cannot be restored, so please talk to us before choosing this.

For managers, Super Managers and Trust admins

You're very welcome to raise these requests on behalf of your staff. Many organisations do, and it often speeds things up because you can serve as the verification route yourself. For email recovery, please use the account recovery request form; you can complete it on a staff member's behalf and put your own details in the vouching fields. For anything else, use your usual support contact route or the contact page on our website.

Two related notes:

  • Super Manager handover: if your organisation's Super Manager has left, we can appoint a replacement with either the outgoing Super Manager's emailed confirmation, or authorisation from a suitably senior leader (e.g. Deputy Chief Nurse, Head of Nursing Education). Removing leavers from your organisation's lists remains your organisation's responsibility, for governance reasons.
  • Avoiding the problem in the first place: when onboarding cohorts, ask staff to verify their email addresses at registration (typos are the root cause of many later lockouts), and remind leavers and anyone affected by an email address change to update their email in Compassly before the old mailbox closes.

Why we handle this so carefully

You don't need to read this section to recover your account, but if you're wondering why we insist on verification, here is the background.

Anyone with access to the email address on an account can reset the password, log in, and read or change everything in it. Your account contains your professional competency records, so when someone asks us to move an account to a new email address, they are effectively asking us to hand the whole account over.

An email or phone call asking us to do that proves very little by itself. Anyone can write to us claiming to be you. Sender addresses can be spoofed, mailboxes get compromised, and a convincing story is easy to construct from public information. Persuading a support desk to reset credentials is one of the most common ways attackers break into accounts, and it is how several major UK organisations were breached in recent years. The UK's National Cyber Security Centre now advises every organisation to review how its helpdesk verifies people before performing resets.

We are also held to external standards. Internationally recognised digital identity guidance (NIST SP 800-63B) requires that account recovery be as strong as normal login, because otherwise it becomes the back door that bypasses everything else. And under UK GDPR we have a legal duty to be satisfied of a requester's identity before changing personal data or granting access to it. Handing an account to the wrong person would itself be a data breach.

So we will never change the email address on an account based on an email or phone call alone, no matter how urgent the request or how senior the person asking. The same process protects your account when someone else pretends to be you.

The standards behind this process

This process follows industry best practice and regulation, including:

  • NIST SP 800-63B (Digital Identity Guidelines): account recovery must be as strong as normal authentication; identity must be re-established before rebinding an account; recovery events must trigger notifications; knowledge-based "security questions" are deprecated.
  • UK NCSC guidance: following the 2025 attacks on major UK retailers via helpdesk social engineering, the NCSC advises all organisations to review how support desks authenticate people before performing resets.
  • UK GDPR / ICO guidance: a controller must be satisfied of a requester's identity, proportionate to the harm a wrongful change could cause, before altering personal data or granting access (UK GDPR Art. 12(6), Art. 5(1)(f), Art. 32).
  • OWASP guidance on email-change flows: verify control of the new address, notify the old address, and never overwrite an address before it's verified.
  • Industry precedent: GitHub and Apple, among others, publicly refuse to shortcut account recovery for these reasons. Apple's process includes a mandatory waiting period that support cannot override.

If you have questions about any of this, get in touch through the contact page on our website.