Multi-factor authentication (MFA) is simply the best thing you can do to keep bad guys from accessing your accounts. But what happens if you lose your security key, delete your authenticator app, or lose all your devices and can’t prove you’re you? It’s a nightmare scenario, but don’t panic! Here’s what to do when this bad dream becomes a reality.
What Are the Three Types of Multi-Factor Authentication?
Before we get down to business, let’s first review what MFA is and why you should use it.
MFA (sometimes called two-factor authentication or 2FA) doesn’t just mean using more stuff to log in. In the world of authentication, there are three ways to identify yourself:
- Something you know, like a password;
- Something you are, such as a fingerprint or some other biometric attribute;
- Or something you have, like a hardware security key.
Need to troubleshoot this tricky situation? PCMag’s Max Eddy has tips here.
The traditional username and password authentication scheme is just one factor (something you know), but multi-factor authentication mixes in at least one other factor. That way, even a bad guy who knows your password won’t be able to access your account because they don’t have the other factor necessary to do so.
This isn’t just theory, either. When Google required hardware security keys among its employees, account takeovers were effectively eliminated.
The most common way to do MFA is to receive a one-time use code via SMS. However, SIM jacking and other bad guy techniques mean that this is the least secure way to do MFA. Instead, we recommend using an authenticator app that generates one-time use codes on your phone or a hardware security key you plug in to verify your identity.
Having weak MFA is better than having no MFA at all, so if authenticator apps are too confusing and security keys are too expensive, enable SMS codes. But we strongly encourage you to investigate alternatives.
What to Do When You’re Locked Out of MFA
A legitimate concern with MFA systems is that you might lose your security key, accidentally wipe your authenticator app, or have your phone stolen and be unable to receive SMS codes. Without access to your MFA options, you might be locked out of your account forever.
Fortunately, there are some things you can do if you find yourself locked out of an account secured with MFA: use a device that’s still logged in, use an alternative MFA option, or contact customer support. Below, we break down all three options in detail.
What are your other MFA options?
Many sites and services that support MFA also require you to enable more than one. Apple, for instance, requires you to enroll two security keys if you opt to use that MFA option to secure your Apple ID. If you’ve enabled SMS codes, authenticator apps, or security keys in addition to your MFA method of choice, you may be able to use one of those instead.
If another MFA option is available, you’ll usually see a link during login that says something like “authenticate me another way” or something similar.
Sometimes, you might not have enabled another MFA method intentionally but the site or service has another option available. For instance, the company may be able to send you a one-use SMS code using a phone number they have on file, or even a push notification to a trusted device.
Where are you still logged in?
If you’re still logged in to the site or service on a different device, you may be able to change your MFA settings and regain access to the account. Although this might work with a desktop or laptop, your best bet is with a mobile device where you’ve installed the service’s app. Apps tend to stay logged in far longer than most websites you visit.
If you can find a place where you’re still logged in, look for the MFA settings. Once you find them, deactivate MFA or add a new MFA option you do have access to. This might be a different security key, SMS codes, or an authenticator app. Most of the time you’ll have to present your password when changing security settings, so be sure to keep that handy.
While you’re exploring this option, be careful not to log out of the service or app until you’ve been able to fully regain control.
Contact customer support
If you’ve run out of MFA options and you’re certain you’re not logged in anywhere else, it’s time to contact customer support. Some companies may have an automated system for confirming your identity and getting you back into your account fairly painlessly.
Other services are stricter, sometimes requiring you to provide additional proof of identity such as a driver’s license. In this scenario, it might take several days or weeks to get access to your account.
In some cases, however, it may not be possible to regain control of your account, either because you don’t have the right materials to do so or because the company’s internal systems are designed to prevent an account takeover at any cost—even if it means some legitimate users are locked out.
In these cases, it might be time to start over and create a new account. If you end up going this route, be sure you’re in touch with customer service first. Even if you cannot access the old account, you may be able to have it deleted and replaced with a new account. At the very least you’ll want to let the company know so a skilled identity thief can’t take control of the abandoned account later on.
How to Avoid Getting Locked Out With Multi-Factor Authentication
Once you’re already locked out of your account, your options for regaining control are limited and may vary greatly. Give yourself the best chance of staying in control of your account by taking the time to set up some authentication contingencies.
The easiest option is to activate more than one MFA option if the account supports it. Again, we recommend avoiding SMS codes if you can. If you have multiple MFA options enabled on an account, you can use an alternative if your primary means of authentication isn’t available.
Also, enable recovery codes if they’re available. This feature sometimes goes by other names like backup codes or recovery keys. Whatever it’s called, the idea is the same: a long string of text characters that can unlock your account when everything else fails. You’ll want to keep this somewhere safe, since it could be used to take control of an account away from you. Consider writing them down in a secure place. If you opt to store your backup codes digitally—as a secure note in a password manager, for example—be sure they’re encrypted and the service at which you are storing them has MFA turned on.
If you’re using security keys, consider getting a second key and enrolling it as a backup to the first key. Many services will allow you to enroll multiple keys for precisely this reason, and Apple requires it if you want to use security keys with your Apple ID. If you’ve decided to upgrade to a new security key, keep the old one as a ready-made backup.
Some authenticator apps back up the code-producing data so you can easily migrate from device to device without the hassle of re-enrolling the authenticator app with each site and service. A few go even further, by storing the code-producing data in the cloud so you can generate codes on multiple devices at the same time. While we think backups are fine, being able to generate codes on multiple devices at the same time does carry some security risk.
Don’t Be Afraid of Multi-Factor Authentication
Switching on MFA can feel like a huge commitment, and a bit frightening at that. After all, if it can keep the bad guys out, it might keep you out, too. But using MFA will absolutely make your accounts safer, and the risk of being permanently locked out is fairly minimal for most accounts. With a little preparation, you can ensure it never happens at all. So don’t wait: enable MFA wherever you can.
Keep in mind that MFA is just one part of the equation. Until passkeys or passwordless authentication become mainstream, you’ll still need to use a unique, complex password for each and every site and service. A password manager will do a much better job inventing and remembering passwords than any human, so use one along with your MFA system of choice.
Finally, if a bad guy has unfettered access to your computer or mobile device, even the best authentication systems will fail. We strongly recommend using local antivirus software to keep attackers from gaining a foothold on your machines.