Two-factor authentication – also known as ‘2FA’ – is the process by which a secondary method of verification (in addition to a password) is required before allowing you access to an account/ platform/ device. It is also known as 2-step verification (2SV), or multi-factor authentication (MFA).

Some of the most common methods of verification – SMS verification and authenticator apps – rely on mobile phones to operate. So, what would happen if your phone is lost or stolen, but you still need it to verify your log in attempt?

Backup codes

The first step is a preventative measure. Many accounts that require 2FA will allow you to generate a set of ‘backup codes’ to use in the event that you’re unable to access your phone. If this is an option, make sure to keep them somewhere safe – not in the notes app on your phone! Storing them in a secure, offline place, such as on an encrypted USB stick, is a good idea.

Use another device

When setting up 2FA, you may have been presented with the option to save additional, ‘trusted’ phone numbers that codes can be sent to. If this has been set up, send the verification codes to the alternative number(s) you have linked to your account.
If your method of verification is an authenticator app – check if it is possible to download the app and log into it on another device.

Security keys

If you have added a security key to your account, you will be able to use this in place of any 2FA codes sent to your phone. These are physical keys that plug in to the USB port of your device, which allow access to your account – usually with just one click.

Contact customer support

If you are still struggling to access your account, you might have to contact customer support or (in the instance you are locked out of a company account) a local administrator, and prove you are the owner of the account.
Some companies will have a list of ‘authorised users’ who can confirm or deny an identity of a person, so make sure you are aware of the people on that list.

Wipe the device

If your phone is stolen, or you believe it’s lost for good, make sure to remotely wipe the device. This means if anyone is able to get into your phone, they will not be able to access your authenticator apps, or any 2FA codes that have been sent via SMS.

If you have lost a company device, you must let your IT department know immediately, as they will block the device/phone number from authenticating against the account (remotely wiping alone will not suffice), and block any sign-in attempts. In addition to this, they will be able to reset your password, as well as program in an alternative number for codes to get sent to in the future.

If your authentication method is a telephone call or a SMS code, you will need to contact your IT department to re-register your 2FA onto a new/temporary device until you either get a replacement device with a new number assigned, or get the sim card replaced and your old number reactivated. It is important to ensure that you communicate with your IT provider whenever you change numbers, as they will need to ensure the systems are up to date.