First: don’t panic
You lost your phone, and now every account with two-factor authentication is flashing before your eyes. Take a breath. You have options, and most people get through this without losing any accounts permanently.
The path forward depends on what you set up beforehand and which services you’re trying to get back into. Let’s work through it.
Check for backup codes first
When you originally turned on 2FA, most services handed you a set of one-time backup codes. These are typically 8-10 alphanumeric strings, and each one works exactly once as a substitute for your TOTP code.
If you saved those codes somewhere (a password manager, a printed sheet in a drawer, an encrypted note), go find them now. They’re your fastest way back in.
Each service handles backup codes a little differently during login. Usually there’s a link that says something like “Try another way” or “Use a backup code” below the 2FA prompt. Click that, enter one of your codes, and you’re in.
Once you’re logged in, immediately go to your security settings, remove the old authenticator, and set up a new one on your current device.
If you don’t have backup codes
This is where things get slower, but it’s not hopeless.
Email accounts (Google, Microsoft, etc.)
Google has an account recovery flow at accounts.google.com/signin/recovery. You’ll answer questions to verify your identity, including when you created the account, recent passwords you’ve used, and which contacts you email frequently. It can take a few days.
Microsoft lets you use a recovery email or phone number you set up beforehand. If you also lost access to those, their account recovery form asks you to provide details about your account to prove ownership.
Social media
Most platforms (Instagram, Twitter/X, Facebook) have support flows for lost 2FA. You’ll typically need to verify your identity with a government ID or by confirming personal details. Response times range from a few hours to over a week depending on the platform.
For Discord specifically, if you saved your backup codes during setup, use those. If not, Discord’s support team can help, but you’ll need to verify account ownership through your email. Check our Discord 2FA setup guide for more on how Discord handles this.
Developer accounts
GitHub lets you use SSH key verification or a verified device to regain access. If you have an SSH key associated with your account, this is usually the quickest path. You can also reach their support team with proof of account ownership. See our GitHub 2FA guide for details on GitHub’s recovery options.
For cloud providers like AWS, you’ll likely need to contact support and go through an identity verification process. This can take time, so start early.
Banking and financial services
Call the bank directly. Phone support for financial institutions can usually reset your 2FA after verifying your identity through security questions and account details. This is one area where phone calls still beat online support.
If your authenticator app synced to the cloud
Some authenticator apps back up your secrets automatically:
- Authy syncs encrypted backups across devices. If you had Authy on a tablet or secondary phone, your codes are already there. You can also install Authy on a new device and restore from backup.
- Microsoft Authenticator offers iCloud/Google backup. Restore it on a new phone and your accounts come back.
- Google Authenticator added Google account sync in 2023. If you had that turned on, install the app on your new phone and sign in.
- 1Password, Bitwarden, and other password managers that store TOTP secrets sync across all your devices. If you stored your 2FA codes in your password manager, you already have them on your laptop or tablet.
If you were using an app without cloud sync (like the older versions of Google Authenticator or Aegis without backup), and you didn’t export your keys, those secrets are gone with the phone. You’ll need to go through recovery for each account individually.
Transferring 2FA to a new device
Once you’ve recovered access to your accounts, set up 2FA fresh on your new device. For each account:
- Log in (using backup codes or after completing recovery)
- Go to security settings
- Remove or disable the old 2FA method
- Set up 2FA again with your new phone’s authenticator app
- Save the new backup codes somewhere secure
Yes, it’s tedious if you have a lot of accounts. But it’s also a good time to audit which accounts you actually use and whether you even need 2FA on all of them.
Preventing this next time
Losing your phone with all your 2FA codes on it is avoidable. Here’s what to do differently.
Save your backup codes. Every single time a service gives you backup codes, save them. A password manager is the easiest place. A printed sheet in a fireproof safe works too. Just don’t leave them only on the phone that could disappear.
Use an authenticator that syncs. Apps like Authy, Microsoft Authenticator (with backup enabled), or a password manager with TOTP support mean your codes aren’t trapped on one device. If the phone vanishes, your codes are recoverable from another device.
Keep a second device logged in. If you have a tablet or old phone, install your authenticator app there too (for apps that support multi-device). It’s a low-effort backup plan.
Export your keys periodically. Some apps like Aegis and 2FAS let you export your secret keys to an encrypted file. Do this occasionally and store the export somewhere safe.
The bottom line
Losing your phone doesn’t have to mean losing your accounts. Backup codes are the fast path. Account recovery through support is the slow path. Both work.
But the real fix happens before you lose the phone. Spend ten minutes today making sure you could recover if your phone disappeared tomorrow. Future you will appreciate it.
If you want to test how TOTP codes work or verify your setup on a new device, you can generate codes at 2fa.zip. It runs entirely in your browser with nothing stored on a server.