Losing 2FA access is more common than it sounds. Knowing your recovery options before it happens makes the difference between a 5-minute fix and a multi-day lockout.
In This Guide
Scenario 1: You Lost Your Phone
See our dedicated guide: Lost Your Phone With 2FA โ What to Do.
Short version: use backup codes, recovery email, or recovery phone number to log in. Change passwords immediately. Reconfigure 2FA on your new device.
Scenario 2: You Deleted Your Authenticator App
If you deleted the app but still have the same phone, try restoring the app first:
- Google Authenticator: Reinstall โ sign in with your Google account โ your backed-up tokens should restore automatically (if backup was enabled)
- Authy: Reinstall โ log in with your phone number โ tokens restore from Authy's encrypted cloud backup
- Aegis/Raivo: Reinstall from backup file if you made one, otherwise use backup codes
Scenario 3: Your Phone Was Factory Reset
Same as losing your phone โ all local TOTP tokens are gone. Recover each account using:
- Backup codes (fastest โ if saved)
- Recovery email verification
- Recovery phone number verification
- Service support (slowest โ requires identity verification)
Scenario 4: Your Codes Are Wrong But the App Is Fine
Your device clock has drifted. Fix it: Settings โ Date & Time โ enable automatic. See: 2FA Codes Out of Sync โ How to Fix.
Prevention: Set Up Before You Need It
- Enable cloud backup in your authenticator app (Google Authenticator โ Google Backup, or Authy)
- Save backup codes for every 2FA-enabled account in a password manager
- Register a secondary recovery method (backup phone number or email) on every service
- Store a written record of critical backup codes in a physically secure location
The Most Important Step: Backup Codes
Every major service provides backup codes when you enable 2FA. These are typically 8โ12 single-use codes that allow you to sign in without your 2FA device. The single best way to prepare for losing your 2FA device is to save these codes immediately when you set up 2FA โ not later, when it feels more urgent. Store them in a password manager or printed in a physically secure location. With backup codes, losing your 2FA device is a minor inconvenience rather than a crisis.
Platform-by-Platform Recovery
Recovery options vary significantly by platform. Google lets you sign in from a trusted device, use backup codes, or go through identity verification. Apple lets you use a trusted iPhone, Mac, or Apple Watch, or receive a code via trusted phone number. GitHub requires recovery codes or a registered fallback method โ its recovery process is notably strict with no alternative if both are unavailable. Financial platforms like PayPal and Coinbase require identity verification through support. Most platforms will recover your account with enough patience, but the process takes time.
Registering a Backup Device
Many authenticator apps support multi-device sync. Authy, for example, allows you to add a tablet or second phone as a backup device that also shows your TOTP codes. Setting this up proactively means you have a second device generating valid codes if your primary phone is lost, stolen, or broken. For critical accounts, this is worth the small setup effort.
Storing Your TOTP Secret Keys
When you first set up an authenticator app for an account, the service displays a QR code (and usually a plain text key). This QR code encodes your TOTP secret โ the cryptographic seed used to generate codes. If you save this secret key, you can restore access to that account's TOTP codes on a new device at any time by re-entering it. Some password managers (1Password, Bitwarden) can store both the password and the TOTP secret for an account, giving you everything in one place.
Prevention Is the Entire Strategy
The honest reality is that preventing the lockout scenario requires action before you lose your device, not after. The three-part strategy that works: save backup codes for every account when you set them up, use an authenticator app that backs up to the cloud (Authy or Google Authenticator with Google Account sync), and for the most critical accounts, register a second 2FA method when the service allows it. Do these things once, and losing your phone becomes a manageable inconvenience instead of an account crisis.