What Happens If I Use 2FA and Lose My Phone?
Two-factor authentication is an important security measure that your phone uses to prevent unauthorized access to your account. This makes it difficult to access your account if you lose your phone, but that’s kind of a point too. Luckily, you have options if you can’t find the one device you’re using to verify that you are truly you.
Two-factor authentication, by its very nature, is designed to prevent access to your accounts if you don’t have access to your phone (or other authentication device). Hence, there are not many ex post facto ways to get around this requirement. However, there are many ways to prevent this problem from occurring . So don’t wait until you lose your phone to set them up.
(If you are currently locked, you can skip to the last section.)
If you purposefully get rid of your phone …
If you know that my phone, make sure that you have switched to another for two-factor authentication device (or it is temporarily not used) before you get rid of your old phone. For easier access, here are some links where you can change your two-factor settings if they are already enabled for some of the shared services (or learn how to do it). Please note: These links will probably only work if you are signed in to your account.
- Dropbox
- LastPass : Open LastPass on the web , go to Settings> Multi-Factor Options.
- 1 Password
- Discord
- Twitch
The process differs from service to service, but the basic principle remains the same. You will install the app on your new device, scan the barcode or enter the code from the appropriate website and confirm that you have the device. In most cases, the old authenticators will stop working, so make sure you are sure before swapping.
If you use SMS, changing your phone doesn’t matter. Just activate your new phone and the codes will be sent to your phone number. If you’re using an authentication app (we recommend Authy, which we’ll talk about a little later), you can probably swap your authentication device in your account settings.
Always write down your one-time backup codes
We cannot stress this enough. Write down your backup codes. If you ever find yourself locked out of your account for any reason, including the fact that you forgot to disable the authenticator before handing it over (or failed if your phone was stolen), backup codes is the best and easiest way to regain access to your account. Then you can set up a new authenticator, probably generate new backup codes and be as secure as possible.
You’ve probably heard that you shouldn’t write down your password, but these one-time codes are an exception. You should definitely print them out or or write them down and store them in a place where you can find them. Ideally, they should be separate from your phone, perhaps in a fireproof box or in a safe with other important paper documents. Don’t just save them in a Word document on your laptop, because if your laptop ever dies (or gets stolen), you’re out of luck.
Unlike your authenticator codes, these one-time codes do not change. Most sites also tell you when they were used, or at least cross them off the list of usable codes. For example, Google offers ten backup codes. When you use one, the list of codes decreases from ten to nine (they are not replenished immediately), and you receive an email stating that the code has been used. This means that even if someone finds your backup codes and uses them to access your account, it will be difficult for them to go unnoticed.
Use a third party authentication app like Authy.
As we discussed earlier, Authy is a great app for managing your two-factor accounts on iPhone , Android, and even your computer . Not only does this give you a “backup” device in case you lose your phone, as your tokens are synced across your different devices , but it also makes it easier to transfer tokens from one device to another (say, if you’re purchasing a new phone). Just sync the new device and deauthorize the old one.
To set up sync tokens on your devices, you need to first set up Authy as your main two-factor authentication app. If you are currently using Google Authenticator or another code retrieval app, you need to go through your accounts and set up Authy, probably using a QR code, which you will have to scan as if you were going to a brand. -new device. Then follow these steps to sync Authy with the second device:
- Open “Settings” in Authy on your main device and click “Devices”.
- Turn on “Allow the use of multiple devices.”
- Install Authy on the second device.
- When you first open the app, you will be prompted to enter a phone number. Enter the phone number of your main unit.
- In the pop-up window that says “Get Account Verification Through”, click “Use an existing device.”
- On the primary device, you will receive a notification asking you to confirm the addition of a new device. Click “Accept”.
- Enter “OK” in the box prompting you to confirm this decision.
- Go back to the settings on the main device and click “Devices” again.
- Disable “Allow the use of multiple devices”. This prevents any additional devices from being added while your existing connected devices remain active.
It’s also a good idea to enable PIN (or Fingerprint / Face Lock) for all devices you’ve connected to Authy. (You will need to do this on a per-device basis under My Account> Security). This way, even if someone gains physical access to your device, it is harder for them to see your codes.
For those concerned about the security of this method: All of your authentication tokens are encrypted locally (using a strong password, not the four-digit PIN that the app itself protects), so neither Authy servers nor any third parties tracking the way should have access to tokens.
Get a spare phone for SMS authentication backup codes
While some authentication methods require an app, nearly all at least offer an SMS code as a fallback. It’s not as secure as a dedicated authentication app or hardware token, but if you lose your phone, getting a backup device and activating it with your carrier will allow you to text messages to the phone number associated with your account.
Back side? Text messages are much easier to hack even if someone doesn’t have access to your device, including the horrific SIM swap attack . Of course, an attacker will also need your password to do anything with a specific account, but text authentication remains a less secure method than two-factor authentication as it requires them to have physical access to your authentication device in order to hack your accounts.
What to do if you are blocked (and you are not prepared)
While you have several ways to prepare for the worst, different things happen. Your phone fell into the well, you lost the sticker with the backup codes, and today your Google account asked you to repeat the confirmation. Failure.
Sometimes, you can still call or send a message to the company that runs the service you are trying to access. The bad news is that the account recovery process can often take several business days if the company can do it. Other companies (such as Discord ) will inform you that if your backup options fail, they will not be able to grant you access to your account. You will have to create a new account, which is not ideal.
This is why it is important to always be aware of all possible backup options. However, in case of worst case, here are some links with information on how (or if) you can access your account back for various services:
As always, a little prevention is well worth the effort and heartache of trying to regain access to all of your critical accounts after you lose your authentication device.
This story was originally published on 12/19/14 and was updated with more recent information on 10/18/19.