Two-factor authentication is an essential security measure that uses your phone to help prevent unauthorized access to your account. It makes it harder to access your account if you lose your phone, but that’s also sort of the point. Thankfully, you aren’t without options if you can’t find the one device you use to verify that you are actually you.
Two-factor authentication, by its very nature, is designed to prevent access to your accounts if you don’t have access to your phone (or other authenticating device). Therefore, there aren’t many ways to circumvent this requirement after the fact. There are many ways to prevent this problem from happening, however. So don’t wait until you lose your phone to set them up.
(If you’re currently locked out, you can skip ahead to the last section.)
If you’re purposefully getting rid of your phone...
If you know you’re changing phones, make sure you switch to a different device for two-factor authentication (or none whatsoever, temporarily) before you get rid of your old phone. For easy access, here are a few links to where you can change your two-factor settings if you already have it enabled for some common services (or learn how to do so). Note, these links will probably only work if you’re logged in to your account.
LastPass: Open LastPass on the web, click Settings > Multifactor Options
The process differs from service to service, but the basic principle is the same. You’ll install an app on your new device, scan a barcode or enter a code from the web site in question, and confirm that you’re in possession of the device. In most cases, old authenticators will stop working, so make sure you’re sure before you swap.
If you use SMS, changing phones shouldn’t matter. Simply activate your new phone and the codes will come to your phone number. If you use an authenticator app (we recommend Authy, which we’ll talk about in a bit), you can likely swap your authenticator device via your account settings.
Always write down your one-time backup codes
We can’t stress this enough. Write down your backup codes. Should you ever find yourself locked out of your account for any reason, including the fact that you forgot to disable your authenticator before giving it away (or couldn’t, if your phone was stolen), backup codes are the best and easiest way to regain access to your account. You can then set up a new authenticator, likely generate new backup codes, and be as secure as ever before.
You’ve probably heard that you shouldn’t write down your password, but these one-use codes are an exception. You should definitely print them or or write them down and keep them in a place where you can find them. Ideally, they would be separate from your phone, perhaps in a fireproof box or safe with other important paper documents. Don’t just save them in a Word document on your laptop, because if your laptop ever dies (or gets stolen), you’re out of luck.
Unlike your authenticator codes, these one-use codes don’t change. Most sites will also tell you when they’ve been used, or at least mark them off of the usable code lists. For example, Google offers ten backup codes. When you use one, the list of codes drops from ten to nine (they aren’t replenished immediately), and you get an email saying that the code has been used. This means that even if someone finds your backup codes and uses them to access your account, it would be difficult for them to do so undetected.
Use a third-party authentication app, such as Authy
As we’ve discussed previously, Authy is a great app for managing your two-factor accounts on the iPhone, Android, and even your computer. Not only does this give you a “backup” device in case you lose your phone, since your tokens synchronize between your various devices, but it also makes it very easy to migrate your tokens from one device to another (say, if you’re getting a new phone). Just sync the new device and deauthorize the old one.
In order to set up synced tokens on your devices, you’ll need to first set up Authy as your primary two-factor authentication app. If you’re currently using Google Authenticator or another app to get your codes, you’ll need to go through your accounts and set up Authy, likely using a QR code you’ll have to scan, as if you were switching to a brand-new device. Then, follow these steps to synchronize Authy to a second device:
Open Settings in Authy on your primary device and tap Devices.
Enable “Allow Multi-device.”
On your second device, install Authy.
When you first open the app, it will prompt you for a phone number. Enter the phone number of your primary device.
In the popup that says “Get Account Verification Via”, tap “Use Existing Device.”
On your primary device you will get a notification that asks you to verify the addition of a new device. Tap “Accept.”
Type “OK” in the box prompting you to ensure you approve of this decision.
Go back to Settings on your primary device and tap “Devices” again.
Disable “Allow multi-device.” This prevents any additional devices from being added, while your existing connected devices stay active.
It’s also a good idea to enable a PIN code (or fingerprint/face lock) for all of the devices you’ve connected to Authy. (You’ll need to do this for every device individually in My Account > Security). That way, even if someone gets physical access to your device, it’s harder for them to see your codes.
For those concerned about the security of this method: all of your authentication tokens are encrypted locally (using a complex password, not the four-digit PIN that protects the app itself), so neither Authy’s servers, nor any snooping third-party along the way should be able to access the tokens.
Get a replacement phone for backup SMS authentication codes
While some authentication methods require an app, nearly all at least offer the use of an SMS code as a backup option. It’s not as secure of a solution as a dedicated authenticator app or hardware token, but if you lose your phone, getting a backup device and activating it with your carrier will allow you to send text messages to the phone number attached to your account.
The downside? Text messages are a lot more hackable even if someone doesn’t have access to your device, including the dreaded sim-swap attack. Of course, an attacker will also need your password to do anything with a specific account, but text-based authentication remains a less-secure method than two-factor authentication, since that requires them to have physical access to your authenticator device in order to break into your accounts.
What to do if you get locked out (and haven’t prepared)
While you have several ways to prepare for the worst, stuff happens. Your phone fell down a well, you lost your sticky note with the backup codes, and today just happened to be the day your Google account asked you to re-verify. Bad luck.
You can sometimes still call or message the company that runs the service you’re trying to access. The bad news is, an account recovery process can often take several business days to fix, assuming the company can do it. Other companies (such as Discord) will tell you that if the backup options fail, they will be unable to provide you with access to your account. You’ll have to start a brand-new account, which isn’t an ideal solution.
This is why it’s important to stay on top of your backup options. However, in the event the worst happens, here are some links with information on how (or if) you can get access to your account back for various services:
As always, a little prevention is worth the scramble and heartache of trying to regain access to all of your critical accounts after you’ve lost your authenticator device.
This story was originally published on 12/19/14 and was updated with more current information on 10/18/19.