2-Step Verification Issues: What to Do if Your Phone Was Lost or Stolen

2-Step Verification Issues: What to Do if Your Phone Was Lost or Stolen
Page content

With two-step verification enabled, your account requires a password and a separate authentication code before access is granted. The latter criterion is usually sent to your cell phone via a text message, voice call or authenticator app. If you lose your phone, your inability to receive the verification code poses an obvious problem. In such cases, however, you do have other options to regain access to your account.

Replace the Phone

If you are sure that your phone is gone for good, contact your mobile provider to report the loss and purchase a new phone. The representative can move your number to your new phone so you can receive SMS or voice codes as if there was never a loss. If you use an authenticator app for codes, however, you will need to set it up again on the new phone.

When replacing your phone, you should also remotely erase your old phone, if possible, to prevent others from gaining access to accounts, receiving codes or acquiring personal data. Remote wiping is possible through system-specific tools, such as Android Device Manager, Apple’s Find My iPhone service or Windows’ Find My Phone utility.

Recovery Codes

Most two-step enabled accounts offer recovery or backup codes in case you lose your phone and can’t receive normal verification codes. These backups are usable in place of the requested code sent to your phone. Depending on the account, enter the code in the same verification field or click a link to reveal the recovery option. For example, Dropbox’s verification dialog has an “I Lost My Phone” link that opens a recovery field. If you didn’t keep a copy of these codes, you can’t get them without access to your account, so be sure to save your recovery codes. Many accounts, such as iCloud, rely on these codes as the sole recovery solution.

Backup Phone or Email

Some accounts, such as Google, give you the option of establishing two phone numbers with the second one serving as a backup number. Likewise, some accounts optionally send codes to a secondary email address, as is the case with Microsoft. If you have set up either option, select it in the verification dialog to submit a code to the backup solution.

Use a Trusted Device

A trusted device is one you chose to remember or “trust” after successfully logging in from that device. A trusted device effectively replaces the second authentication method, so you are not prompted for a verification code. If you still have access to the device, use it to log in to your account and circumvent the need for a code delivered to your cell phone. If you never established a trusted device, try to log in from a computer you recently used to access the account. You might still be logged in or the account might only require a code every set period.

Voicemail or Voice Call

Some accounts support voice calls in which you’re given the verification code audibly. Even if you haven’t previously set up this solution, the login form might provide an option to send a one-time voice code. If you don’t answer the call, it is left on voicemail. Assuming you have remote access to your phone’s voicemail, you can then retrieve the code.

Account Recovery Options

If all else fails, try all of your account’s recovery options to reset your password and access your account. If the recovery method is purely a mobile number, then you are out of luck, but if you chose an email address to which you still have access or set up recovery questions, use one of those options. Some accounts, such as Google, offer a final method of validating you as the account owner by asking specific questions about your account, such as services used, emails received or account creation date. If you know this information, you can access your account through the recovery form.

Change Password and Revoke App Passwords

A lost phone poses a security risk if you don’t use it as a second-tier verification method and even more so if you do. When you have access to your account once again, immediately change the password so a thief can’t access the account from an automatically logged in phone. Open the account’s security options and revoke each app password as well, so phone apps don’t retain access to the account.

Preventive Measures

If you are reading this article out of concern of a hypothetical future loss, hopefully you feel somewhat comforted. To protect against future losses, log into your account, access the security section and look for an option to view or generate recovery codes. Copy these codes and store them in a secure location. While you are there, set up account recovery options or a backup verification method. If you have secure, exclusive access to a computer, establish it as a trusted computer, so you will always have at least one device from which to access your account.