Getting Locked Out of Your Digital Life Is Bad. Here’s How to Avoid It.

A warning to those feeling secure with two-factor authentication. If you lose or break your phone, you could lose access to your authenticator app’s essential codes…and the online accounts they’re supposed to protect.  

Cybercrime is still on the rise, and passwords are the main target for hackers. That’s why using two-factor authentication (also known as 2FA) is vital for protecting your Gmail, PayPal and other online services. 

It’s like having a door with multiple locks. A service first asks for your password (the main lock), then it requests one of the random codes generated by your authentication app (the deadbolt). Without your password and the codes, a thief can’t get in. 

But there’s a trade-off to this extra security. Some authenticator apps store codes on your device. If you don’t have that device, you can’t get into your accounts. It’s something I learned the hard way, after sending in a phone for repair several years ago. 

It may be tempting to disable two-factor authentication to avoid the trouble. Don’t do this: “You’d be incurring significant risks, including account hijacking,” said Christopher Budd, director of security firm Sophos X-Ops. There are better ways to set up 2FA, including using apps that support cloud backups, he said.

The popular Google Authenticator app recently addressed the problem with a new option to save codes to your Google account. That means you can now set up Google Authenticator on a new device—even if you don’t have your old one—and restore your codes. It’s a good solution, as long as you connected your Google account before you lost your phone.

If you’re still locked out of your accounts, there is some recourse. Use these steps to try to regain access, and make some changes to prevent two-factor fails.

Get back in

Easiest: Use another device. Sign in on a tablet or computer that you’ve used to access that account before. If you previously checked the “Don’t ask again on this device” box, you may be able to log in with just your password, no 2FA required. 

If it does ask for 2FA, see if there’s an option for an alternative verification method. Google and Facebook, for example, can send an approval notification to a device where you’re already logged in. 

Easy-ish: Transfer your phone number. Visit your carrier for a new SIM card or an eSIM to transfer texts and calls to a new phone. Some services, such as Apple’s iCloud, can text a code to the account’s listed phone number when you don’t have access to a trusted device. (Prevent a thief with access to your phone from taking over your Apple

Medium: Find recovery codes. You might have saved one-time-use backup codes long ago, when you first set up two-factor authentication. (Many services tell you to do that when you sign up.)

Look on your desktop, where you could have saved a screenshot, or a desk drawer, where you might have stashed a paper printout. Google prompts you to download your backup codes. Search your computer for the file name “backup-codes-username.txt”

More Difficult: Restore an old phone backup. None of the above an option? Download your old phone’s data to a new phone. 

When you’re activating a new iPhone and reach the Apps & Data setup screen, select Restore from iCloud Backup. If you use a laptop for backups, connect the phone to your computer, then select the device in Finder. Click Restore Backup and pick the most recent date. 

On a new Android device, follow the on-screen steps to set it up. When you see “Copy apps & data,” tap Next. Then tap “Can’t use old device.” Select the most recent backup available.

Most Difficult: Start account recovery. This method will require patience. You can often trigger the account recovery process by clicking the “Forgot password?” or “Get help?” option on a sign-in page, which will ask you for additional information and open a case with the company’s customer service team. This can take weeks or even months, so hang in there. 

Prevent future lockouts

Multiple forms of verification: There are different types of 2FA, and many services allow you to mix and match. A physical security key, the most secure form of 2FA, can act as your main authentication method or a spare key. You can use an authenticator app along with a security key, and even add multiple security keys to one account. 

Also consider passkeys, a new password-less form of login available for Google, Microsoft and other accounts. With a passkey, you can use just your fingerprint to log in on your laptop, or your face to log in on your phone. They’re automatically synced to the cloud, so you can use multiple devices to sign in with a passkey.

Save backup codes: You can find one-time-use recovery codes that don’t expire in your account’s security settings. Print these out—they’re safer in the real world, in your desk, than somewhere online where a hacker could get them.

Authenticator apps that back up to the cloud: I like Twilio’s Authy app, because you can get the same codes across multiple devices, including your laptop. It’s convenient, and it can serve as a backup should you lose your phone.

There are risks to backing up data to the cloud. Authy defends against those risks by protecting codes with encryption that can only be unlocked with a password. Authy doesn’t know this password—only you do—so the company can’t recover your account if you forget it.

Many password managers, such as 1Password and Apple’s iCloud Keychain, offer built-in authenticators. But using those to store your passwords and 2FA codes is putting a lot of eggs in one basket. 

—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.

Write to Nicole Nguyen at [email protected]