Home » Two-Step Verification » What if I lose my phone with Google Authenticator on it?

What if I lose my phone with Google Authenticator on it?

DISCLOSURE: THIS POST MAY CONTAIN AFFILIATE LINKS, MEANING I GET A COMMISSION IF YOU DECIDE TO MAKE A PURCHASE THROUGH MY LINKS, AT NO COST TO YOU. PLEASE READ MY DISCLOSURE FOR MORE INFO.

Ok, so your phone was lost or stolen, and you had a Google Authenticator on it.

It happened to me, so I am pretty familiar with the process.

Google Authenticator app is not the only second step verification option available to you, and the chances are that even if you don`t have access to the app, you will still be able to log in using alternative ways.

You may try to verify your account with Backup Codes or using Voice or Text messages. If either process fails, we will have no choice but to use Google Help.

Verify your account Using Backup Codes.

Most sites now offer Two-Factor Authentication, once enabled the service will provide you with Backup Codes. Google for example issues the codes in the set of 10 and each eight characters long, each time you use the Backup Code it becomes inactive. You can also generate a new set anytime.

You may also like: Can I use Google Authenticator on Multiple Devices?

To log in to your account type your login and password, on the 2-Step Verification form press More Options. Google will let you chose other options to log in to your account. Select Enter one of your 8-digit backup codes and type the code on the next screen.

You may also like: Google Authenticator vs Microsoft Authenticator – Which one is better?

  1. Type Your Email Address.
    1. Go to Google and press Sign In. Enter your email address and press Next.
      Google Account Recovery - email or phone
  2. Type Your Password.
    1. Type your password and press Next.
      Account Recovery - type your password
  3. Select – More Options.
    1. Once you provided your Password and Login you will be asked to type your verification code from the Google Authenticator app. Instead, select ‘More Options’ link below the form. Google will offer you other ways to authenticate your ownership of the account.
      Google 2-Step Verification form
  4. Select – Enter One of Your 8-Digit Backup Codes.
    1. Under ‘Try another way to sign in’ select ‘Enter one of your 8-digit backup codes’. You will be presented with a form to type your Backup Code.
      Google 2-Step Verification other options form
  5. Type One of Your 8-Digit Backup Codes.
    1. Type your 8-digit Backup Code and press next, you have successfully logged in to your Google Account without using Google Authenticator.
      Google 2-Step Verification backup code form

Verify your account by Voice or Text Message.

Ok, so you have lost your Backup Codes, but there might be a tiny chance that when you set up your account for the first time, you have enabled the other verification method which uses Voice or Text messages.

The process of using this method is similar to the one described for the Backup Codes except that you select Voice or Text message option.

Google Account Recovery - Voice or Text message

Verify your account with Google Help.

Luckily, I never needed to use this option but if you do not have the Backup Codes and verification method using Voice or Text message has also failed, this might be the last option available to you to access your account.

Pay attention to questions and give as much information as possible where appropriate when filling the Google Account Recovery Form.

For this post, I used one of my accounts to get through the process. However, I did not submit my form so I am not sure how successful that might be and whether the waiting time is as described by Google.

Go to Google, select the Sign In option, and follow the steps below to get to the Get Help option.

  1. Type Your Email Address.
    1. Go to Google and press Sign In. Enter your email address and press Next.
      Google Account Recovery - email or phone
  2. Type your password.
    1. Type your Password and press Next.
      Account Recovery - type your password
  3. Select – More Options.
    1. Once you provided your Password and Login you will be asked to type your verification code from the Google Authenticator app. Instead, select ‘More Option’ link below the form. Google will offer you other ways to authenticate your ownership of the account.
      Google 2-Step Verification form
  4. Select – Get Help.
    1. Keep in mind that this may take up to 5 days, so use this as a last resort. The process is straightforward, and you will need to fill out an account recovery form. You must answer some questions related to your account, for example:
      1. When did you create this Google Account? (I had trouble with this one).
      2. Enter an email you can check now (Google will send you a single verification code to an alternative email).
      3. You may also add additional information which will help Google to authenticate you.
        Google 2-Step Verification other options get help
  5. Select – Request Google Help.
    1. Provide all the relevant information Google ask for.
      Google Account Recovery - Get Google Help
  6. Type the Date.
    1. Type the date you created your Google Account. When writing this post, I tried the Account Recovery option, and I have to admit that this was the most challenging question to answer. I simply did not remember that date so I had no choice and I skipped this question.
      Google Account Recovery - type the date you created your account
  7. Enter an email you can check now.
    1. Type an email you can check now. Google will send you a six-digit code to confirm.
      Google Account Recovery - type email you can check now
  8. Confirm the code send to you earlier.
    1. Check the email you give earlier for the code Google send you and type here to confirm it.
      Google Account Recovery - verification code
  9. Add more information.
    1. This is the last chance to add additional information which may help Google to authenticate you and unlock your account. Once you press Done, the Google team will review the information you gave and may or may not accept your application.
      Google Account Recovery - add more info

You logged in to your account, what to do now?

Save your Backup Codes.

Keep your Google Account Backup Codes secure. I mean really secure, do not store them on the OneDrive, Dropbox or any other cloud service. Do not keep them in your draft email – yes I saw people doing this, using draft copies of emails as storage for private information.

Instead, print them or write them down and keep them somewhere safe, perhaps with your passport or other documents. Even better, make two copies and keep them in two different locations. Personally apart having printed my Backup Codes, I also keep a digital copy on my encrypted IronKey flash drive. If you are using an encrypted flash drive make sure you remember your password, especially if you access the drive only occasionally.

Google Account Recovery - backup codes

You may also go a step further and apart from printing your Backup Codes, you may also print your QR codes which you add to your Google Authenticator app, that way you may scan the codes with a new device. I have heard that people also take pictures of them with an old camera (not your phone camera), not sure if this is a good idea, but it also works.

Google Two Step Verification QR code

Ok. So we saved our Backup Codes and the QR Code.

However, there is one more thing we can do to be sure that in the case when our phone will get stolen, lost, or damaged we will still be able to set up the new one with Google Authenticator on it.

Take a look at the image above with QR Code on it. What do you see just below the QR Code?

CAN`T SCAN IT?

So now follow these steps:

  1. Add the account by scanning the QR Code.
  2. Print the QR Code and keep it in a safe place.
  3. Click “CAN`T SCAN IT?” link.
  4. Copy the code presented to you and keep it in a safe place.
  5. Click NEXT and type the token generated by the app.
  6. Click FINISH.
Google Account Recovery - can`t scan the barcode

Excellent, you now have 2FA enabled for your Google Account, you saved your Backup Codes, printed the QR Code, and hopefully, if you followed my guide above you have also printed or saved the Key.

From now on you can add Google Account to your 2FA app by either scanning the QR Codes saved earlier or by typing the Key.

Reset Authenticator App using Change Phone option.

This step is crucial. If you have lost or your phone was stolen, anyone may now generate new tokens using your Google Authenticator app. Yes, they are useless without the password but don`t take the risk and reset the Authenticator App in your Google Account 2-Step Verification settings. You will have to do this anyway if you want to set up Google Authenticator App on your new phone.

After you recovered access to your Google Account using Backup Codes, go to 2-Step Verification and select the Change Phone option under Authenticator App.

Scan the QR code with your new phone. You may also print the QR code and keep it in a safe place. Once you scanned the token with your Google Authenticator App, press next and confirm the code to finalize the procedure.

Note: You may use the second phone as a backup option.

Everyone has some old phones laying around. So grab one, make a factory reset, disable WiFi, and every time you enable Two-Factor Authentication or create a new account set it up on both devices.

You may treat this as emergency access to your Google Authenticator app. In case your primary phone was stolen or lost you always have a backup phone with Google Authenticator installed on it.

Change your Google Account Password.

It seems obvious, but I almost forgot about it. Be safe and if your phone was stolen or lost, after accessing your account change your password. Hopefully, you are already using Password Manager, so get through all your accounts and change the passwords for them too. Better to be safe than sorry.

You may also like: What is a Strong Password? Free Password Strength Checker.

Revoke your App Passwords.

An App Password is a one-time password that is issued to you by Google to authorised access to your Google Account for applications and devices which does not support Two-Factor Authentication. For example, Microsoft Outlook or Mozilla Thunderbird.

Revoke the App Passwords for any applications or devices you own and which you no longer use was stolen or lost. Removing the App Password will prevent anyone from accessing your Google account from that device or application.

For example, on the image below a Microsoft Outlook, email client application which I`m currently using on my Surface Pro has been authorised to access my Google account with App Password.

If my tablet gets stolen or damaged, I will revoke the App Password for that application and any other application on that PC preventing anyone from accessing my account.

Google App Passwords settings

Alternatives to Google Authenticator App.

Google Authenticator is not the only app capable of generating time-dependent 6-digit tokens and definitely not the most flexible application available to us.

Authy authenticator application logo
Authy

Authy.
Google Authenticator is great, but it has one significant disadvantage, it lacks multi-device support and an encrypted backup option. Once your phone gets damaged, lost, or stolen all your 2FA codes are gone too. Fancy a new phone; it will take you a lot of time to rescan all those QR codes from all the accounts you own with your new device.

And this is where Authy comes in.

Authy like Google Authenticator also generates time-dependent 6-digit keys used in the login process. But unlike the Google Authenticator Authy will sync your 2FA tokens between any device you authorized. This process may also be reversed, so if your phone was lost, stolen,, or replaced, you could deauthorize it from any authorized device.

Personally, I don`t like to have my 2FA codes on multiple devices, luckily with Authy this function is optional and can be disabled if you prefer.

Finally, the best option, in my opinion, is the ability to perform encrypted recovery backups.

And yes, I mentioned a few times in my other blog post about Sticky Password Manager that I prefer to store my data locally not in the cloud, and rely on someone’s security features to keep it safe. But this option is a real-time saver when anything bad happens to my phone.

Keep in mind that the encrypted cloud backup function is also optional, and if you are not happy with it do not enable it, and your data will be stored locally on your phone.

You may also like: Is Authy better than Google Authenticator?

Restoring Your Authy Codes.

Follow the steps below to set up your new phone or add a new one.

  1. Authy Account Setup.
    1. Download the application and start an account setup.
      Authy account setup
  2. Verify the account via:
    1. Phone Call.
    2. SMS Text Message.
      Authy installation process
  3. Unlock your Recovered Data.
    1. After successful verification, you will be able to see the accounts in your app, however, notice that each account on the image above has a padlock on it. You must now unlock the accounts by using your backup password, a password which you used to setup the Authy app/account for the first time.
      Authy unlocked accounts list
  4. Unlock Accounts with a Backup Password.
    1. Click an account you wish to generate the code for and type your backup password.
      Authy unlock accounts

Success!

All your accounts are now unlocked, and you can use the codes.

Summary.

Whether your phone or tablet was lost, damaged, or stolen the process of accessing your accounts without 2FA does not have to be so painful.

Just take the time to set up the accounts correctly in the first place. Save your Backup Codes, whether you print them, store them on the secure storage device or even take a picture, make sure you had them when they are needed. Your backup codes are usually the only way you can restore access to your accounts, so take care of them.

Let me know in comments which method described here was the most helpful and allows you to recover your Google Account successfully.

Photo of author

Thomas Wzorek

I’m a Systems Applications Developer writing software in C# and .NET with interest in Cyber Security and Systems Administration. I divide my time between my family and passion for programming using .NET Technology and my favorite language, C#. If I’m not in Visual Studio, I’m probably trying to catch up with the continuously evolving Tech-World, researching Online Security & Privacy, and chasing the latest Data Breaches.