diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
index ce86f96..3643dcc 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml
@@ -45,7 +45,7 @@ spec:
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-3661d1b94c95cb7ba123e574390d8dbaaed8e7a2"
+    tag: "r-c58cc47a5227560a26f98d3aa610b057d4a540ac"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
index d86fe01..34e7315 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy
@@ -185,42 +185,46 @@ try {
   }
 
   // no login for users with a recovery role
-  for (String role : getUserAGOVRecoveryRoles()) {
-    if (role == 'mustRecover') {
-      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
-      session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' ) 
+  def recoveryRoleList = getUserAGOVRecoveryRoles()
+  
+  if (recoveryRoleList.contains('mustRecover')) {
+    session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+    session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' ) 
 
-      def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
+    def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
+    def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
+    session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
 
-      def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
-      session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
+    // align currentAgovAq with the method selected for idVerification
+    def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
+    session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
 
-      // align currentAgovAq with the method selected for idVerification
-      def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
-      session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
+    def validFrom = getUserMustRecoverValidFrom() ?: ''
+    session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom ) 
 
-      def validFrom = getUserMustRecoverValidFrom() ?: ''
-      session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom ) 
+    LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
 
-      LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
+    response.setResult('exit.2')
+    return
 
-      response.setResult('exit.2')
-      return
+  } else if (recoveryRoleList.contains('recovery')) {
+    if (recoveryRoleList.contains('recoveryCascade')) {
+      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
+    } else {
+      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
+    }
+    session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown') 
+    session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
+    LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
+    def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
+    session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
+    def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
+    session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom) 
 
-    } else if (role == 'recovery') {
-      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
-      session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown') 
-      session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
-      LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
-      def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
-      session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
-      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
-      session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom) 
+    response.setResult('exit.2')
+    return
+  } 
 
-      response.setResult('exit.2')
-      return
-    } 
-  }
 
   if (highestRoleLevelNumber>=requestedRoleLevelNumber) { 
 
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
index 38d6ba7..f05f123 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/esauth4.xml
@@ -1673,7 +1673,7 @@
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_loginFactorQuestion" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="true" resumeState="true">
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="cancel" next="Auth_Realm_Recovery_Recovery_handleCode"/>
+            <ResultCond name="doCancel" next="Auth_Realm_Recovery_Recovery_handleCode"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="loginFactorNo" next="Auth_Realm_Recovery_Recovery_Auth_reasonSelection"/>
             <!-- source: pattern://584964c837512845d7940809 -->
@@ -1805,7 +1805,7 @@
         </AuthState>
         <AuthState name="Auth_Realm_Recovery_Recovery_Auth_reasonSelection" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="true" resumeState="true">
             <!-- source: pattern://584964c837512845d7940809 -->
-            <ResultCond name="cancel" next="Auth_Realm_Recovery_Recovery_Auth_loginFactorQuestion"/>
+            <ResultCond name="doCancel" next="Auth_Realm_Recovery_Recovery_Auth_loginFactorQuestion"/>
             <!-- source: pattern://584964c837512845d7940809 -->
             <ResultCond name="invalidReasons" next="Auth_Realm_Recovery_Recovery_Auth_noRecovery"/>
             <!-- source: pattern://584964c837512845d7940809 -->
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireLfProcessing.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireLfProcessing.groovy
index 9feef83..e2ca4a4 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireLfProcessing.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireLfProcessing.groovy
@@ -4,7 +4,7 @@ if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
   def s = request.getAuthSession(true)
   s.removeAttribute('agov.recovery.moreThanOneLf')
 
-  response.setResult('cancel')
+  response.setResult('doCancel')
   return
 }
 
diff --git a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireReasonProcessing.groovy b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireReasonProcessing.groovy
index 07f9f3c..d4eb174 100644
--- a/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireReasonProcessing.groovy
+++ b/DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireReasonProcessing.groovy
@@ -9,7 +9,7 @@ if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
   s.removeAttribute('agov.recovery.moreThanOneLf')
   s.removeAttribute('agov.recovery.reason')
 
-  response.setResult('cancel')
+  response.setResult('doCancel')
   return
 }