multi signature – Understanding GreenAddress nLocktime/recovery transactions

The GreenAddress website explains the recovery lockout in their FAQ. As zero locktime is equivalent to the situation after the nLocktime expires, the following FAQ paragraph is relevant:

Why am I am being asked to redeposit my funds?

Once the nLockTime period expires these nLockTime transactions would allow you to recover the funds in the 2of2 account without requiring GreenAddress’s signature. This also means that any limits placed on your spending in GreenAddress, such as 2FA requirements, cease to be enforceable by GreenAddress.

The nLocktime is hence necessary to maintain the requirement for the second factor in GreenAddress 2FA for the period of the nLocktime.

If you don’t move funds in a GreenAddress wallet during the nLocktime period, the same situation arises and you are asked to redeposit funds to invalidate the existing pre-signed recovery transaction.

If you were to get hacked, the black hat would get the first factor from your wallet device and the second factor (recovery transaction) from your email account. Considering the recovery transaction is time locked for 90 days, the hacker would only succeed if the funds hadn’t been spent/moved during those 90 days.