diff --git a/patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua b/patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua
index e685e93..8677552 100644
--- a/patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua
+++ b/patterns/3a982aa242ff4f8ebd823693_script/countries_security_filter.lua
@@ -1,11 +1,11 @@
 package.path = package.path .. ";/opt/nevisproxy/webapp/WEB-INF/lib/lua/Utils.lua"
 local Utils = require "Utils"
 
-function inputHeader(request, response)
-  local trace = request:getTracer()
+function inputHeader(req, resp)
+  local trace = req:getTracer()
 
-  local queryParams = Utils.getQueryParameters(request)
-  local path = request:getRequestPath()
+  local queryParams = Utils.getQueryParameters(req)
+  local path = req:getRequestPath()
 
   -- only allow calls to the countries service
   if path == nil then
@@ -13,8 +13,8 @@ function inputHeader(request, response)
   end 
 
   if path ~= nil and path ~= '/resource/utility/api/v1/countries' then
-    trace:info("utility service called with invalid path " .. request:getRequestPath())
-    response:send(404)
+    trace:info("utility service called with invalid path " .. path)
+    resp:send(404)
     return
   end
 
@@ -22,19 +22,19 @@ function inputHeader(request, response)
   for param, values in pairs(queryParams) do
     if (param ~= 'lang') then
       trace:info("utility service called with invalid query param " .. param)
-      response:send(404)
+      resp:send(404)
       return
     end
     if Helpers.tableLength(values) ~= 1 then
       trace:info("utility service called with invalid value for query param " .. param)
-      response:send(404)
+      resp:send(404)
       return
     end
     for i, value in pairs(values) do
       local lang = string.upper(value)
       if not ('DE' == lang or 'FR' == lang or 'IT' == lang or 'EN' == lang or 'RS' == lang) then
         trace:info("utility service called with invalid value for query param " .. param .. "=" .. value)
-        response:send(404)
+        resp:send(404)
         return
       end
     end
diff --git a/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml b/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
index 4ec3281..9551171 100644
--- a/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
+++ b/patterns/584964c837512845d7940809_authStatesFile/recovery-preprocessing.xml
@@ -117,7 +117,6 @@
 	<property name="sess:agov.recovery.email" value="${inargs:email}"/>
 </AuthState>
 <AuthState name="${state.entry}_verifyUrlTicketIntro" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="true" resumeState="true">
-	<ResultCond name="cancel" next="${state.failed}"/>
 	<ResultCond name="confirm" next="${state.entry}_verifyUrlTicket"/>
 	<Response value="AUTH_CONTINUE">
 		<Gui name="recovery_start_info">
@@ -200,15 +199,15 @@
 	<ResultCond name="ok" next="${state.entry}_codeVerified"/>
 	<ResultCond name="pwChange" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<ResultCond name="lockWarn" next="${state.entry}_IdmUserIdPasswordLogin"/>
-	<ResultCond name="nowLocked" next="${state.entry}_codeLocked"/>
-	<ResultCond name="locked" next="${state.entry}_codeLocked"/>
-	<ResultCond name="tmpLocked" next="${state.entry}_codeLocked"/>
+	<ResultCond name="nowLocked" next="${state.entry}_IdmUserIdPasswordLogin"/>
+	<ResultCond name="locked" next="${state.entry}_IdmUserIdPasswordLogin"/>
+	<ResultCond name="tmpLocked" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<ResultCond name="failed" next="${state.entry}_IdmUserIdPasswordLogin"/>
-	<ResultCond name="clientNotFound" next="${state.entry}_IdmUserIdPasswordLogin"/>
-	<ResultCond name="disabled" next="${state.entry}_codeLocked"/>
+	<ResultCond name="clientNotFound" next="${state.failed}"/>
+	<ResultCond name="disabled" next="${state.entry}_IdmUserIdPasswordLogin"/>
 	<Response value="AUTH_CONTINUE">
 		<Gui name="recovery_check_code">
-			<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
+			<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="#{ notes.containsKey('lasterror') ? (notes.getProperty('lasterror') == '3' ? 'check' : 'locked' ): '' }"/>
 			<GuiElem name="code" type="pw-text" label="not-used" value="hide-input-in-logs" optional="true"/>
 			<GuiElem name="no_code" type="checkbox" label="not-used" value="true" optional="true"/>
 			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
@@ -227,9 +226,3 @@
 	<Response value="AUTH_CONTINUE"/>
 	<property name="sess:agov.recovery.authenticatedWith" value="urn:qa.agov.ch:names:tc:authfactor:emailAndCode"/>
 </AuthState>
-<AuthState name="${state.entry}_codeLocked" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="true" resumeState="false">
-	<Response value="AUTH_ERROR">
-		<Gui name="recovery_check_noCode">
-    </Gui>
-	</Response>
-</AuthState>
\ No newline at end of file
diff --git a/patterns/584964c837512845d7940809_resources/recovery-processing.groovy b/patterns/584964c837512845d7940809_resources/recovery-processing.groovy
index e7d096d..064db9d 100644
--- a/patterns/584964c837512845d7940809_resources/recovery-processing.groovy
+++ b/patterns/584964c837512845d7940809_resources/recovery-processing.groovy
@@ -11,6 +11,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
     "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
 ]
 
+// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
+def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED_TEMPORARY', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
+
 def getUserIdVerificationForRecovery(currentLoaRole) {
   // application is AGOV-AccountStatus
   def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@@ -87,8 +90,11 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
   try {
     def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
     def userState = userDto.state
+    def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
+
     LOG.debug("Recovery: Dto is '${userDto}")
     LOG.debug("Recovery: state is '${userState}")
+    LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCode : 'none'}'") 
     def session = request.getAuthSession(true)
 
     if (userState == 'ACTIVE') {
@@ -138,10 +144,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
           response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
 
           if ((maxLoi == 'level100') && (mustRecover == null)) {
+            // AQ100 accounts need to used the recovery code, if they can
+            // check the status of recoveryCode credential
+            if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
+              LOG.debug("Recovery: emailAndCode")
+              response.setResult('needCode')
+              return
+            } else {
+             LOG.warn("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
+             response.setResult('ok')
+              return
+            }
+
             // mustRecover role not set, so code needs to be checked
-            LOG.debug("Recovery: emailAndCode")
-            response.setResult('needCode')
-            return
           } else {
             LOG.debug("Recovery: email")
             response.setResult('ok')