diff --git a/service/pixelated/account_recovery_authenticator.py b/service/pixelated/account_recovery_authenticator.py
index d0da8749e..f68e6bfdb 100644
--- a/service/pixelated/account_recovery_authenticator.py
+++ b/service/pixelated/account_recovery_authenticator.py
@@ -14,29 +14,14 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 
-from leap.bitmask.bonafide.provider import Api
-from leap.bitmask.bonafide.session import Session
-
 from twisted.cred.error import UnauthorizedLogin
-from twisted.internet.defer import inlineCallbacks, returnValue
 
-from authentication import Authenticator, Authentication
+from authentication import Authenticator
 
 
 class AccountRecoveryAuthenticator(Authenticator):
     def __init__(self, leap_provider):
-        super(AccountRecoveryAuthenticator, self).__init__(leap_provider)
+        super(AccountRecoveryAuthenticator, self).__init__(leap_provider, recovery=True)
 
     def _auth_error(self):
         raise UnauthorizedLogin("User typed wrong recovery-code/username combination.")
-
-    @inlineCallbacks
-    def _bonafide_auth(self, credentials):
-        srp_provider = Api(self._leap_provider.api_uri)
-        self.bonafide_session = Session(credentials, srp_provider, self._leap_provider.local_ca_crt)
-        yield self.bonafide_session.authenticate_with_recovery_code()
-        returnValue(Authentication(credentials.username,
-                                   self.bonafide_session.token,
-                                   self.bonafide_session.uuid,
-                                   'session_id',
-                                   {'is_admin': False}))
diff --git a/service/pixelated/authentication.py b/service/pixelated/authentication.py
index 693d17697..943723d44 100644
--- a/service/pixelated/authentication.py
+++ b/service/pixelated/authentication.py
@@ -28,10 +28,11 @@
 
 
 class Authenticator(object):
-    def __init__(self, leap_provider):
+    def __init__(self, leap_provider, recovery=False):
         self._leap_provider = leap_provider
         self.domain = leap_provider.server_name
         self.bonafide_session = None
+        self.recovery = recovery
 
     @inlineCallbacks
     def authenticate(self, username, password):
@@ -52,7 +53,7 @@ def _srp_auth(self, credentials):
     def _bonafide_auth(self, credentials):
         srp_provider = Api(self._leap_provider.api_uri)
         self.bonafide_session = Session(credentials, srp_provider, self._leap_provider.local_ca_crt)
-        yield self.bonafide_session.authenticate()
+        yield self.bonafide_session.authenticate(recovery=self.recovery)
         returnValue(Authentication(credentials.username,
                                    self.bonafide_session.token,
                                    self.bonafide_session.uuid,
diff --git a/service/test/unit/test_account_recovery_authenticator.py b/service/test/unit/test_account_recovery_authenticator.py
index 197b9a081..433c1afe0 100644
--- a/service/test/unit/test_account_recovery_authenticator.py
+++ b/service/test/unit/test_account_recovery_authenticator.py
@@ -52,3 +52,11 @@ def test_bonafide_srp_exceptions_should_raise_unauthorized_login(self):
                 except UnauthorizedLogin as e:
                     self.assertEqual("User typed wrong recovery-code/username combination.", e.message)
                     raise
+
+    def test_bonafide_auth_called_with_recovery_as_true(self):
+        auth = AccountRecoveryAuthenticator(self._leap_provider)
+        mock_bonafide_session = MagicMock()
+
+        with patch('pixelated.authentication.Session', return_value=mock_bonafide_session):
+            auth.authenticate('username', 'password')
+            mock_bonafide_session.authenticate.assert_called_with(recovery=True)
diff --git a/service/test/unit/test_authentication.py b/service/test/unit/test_authenticator.py
similarity index 89%
rename from service/test/unit/test_authentication.py
rename to service/test/unit/test_authenticator.py
index bbae5c026..e5ffd1990 100644
--- a/service/test/unit/test_authentication.py
+++ b/service/test/unit/test_authenticator.py
@@ -68,17 +68,24 @@ def test_domain_name_is_stripped_before_making_bonafide_srp_auth(self):
     def test_successful_bonafide_auth_should_return_the_user_authentication_object(self):
         auth = Authenticator(self._leap_provider)
         mock_bonafide_session = Mock()
-        mock_srp_auth = Mock()
-        mock_srp_auth.token = 'some_token'
-        mock_srp_auth.uuid = 'some_uuid'
-        mock_bonafide_session.authenticate = Mock(return_value=mock_srp_auth)
-        with patch('pixelated.authentication.Session', return_value=mock_srp_auth):
+        mock_bonafide_session.token = 'some_token'
+        mock_bonafide_session.uuid = 'some_uuid'
+
+        with patch('pixelated.authentication.Session', return_value=mock_bonafide_session):
             resulting_auth = yield auth.authenticate('username@domain.org', 'password')
             self.assertIsInstance(resulting_auth, Authentication)
             self.assertEquals('username', resulting_auth.username)
             self.assertEquals('some_token', resulting_auth.token)
             self.assertEquals('some_uuid', resulting_auth.uuid)
-            self.assertEquals(mock_srp_auth, auth.bonafide_session)
+            self.assertEquals(mock_bonafide_session, auth.bonafide_session)
+
+    def test_bonafide_auth_called_with_recovery_as_false(self):
+        auth = Authenticator(self._leap_provider)
+        mock_bonafide_session = Mock()
+
+        with patch('pixelated.authentication.Session', return_value=mock_bonafide_session):
+            auth.authenticate('username', 'password')
+            mock_bonafide_session.authenticate.assert_called_with(recovery=False)
 
     def test_username_without_domain_is_not_changed(self):
         username_without_domain = 'username'