How do you start over with 2FA after losing your phone?

Use your backup codes that you've downloaded and safe-kept somewhere (you did this right?). If not, I'm afraid you're out of luck.

There are two possible outcomes from contacting support for a service, asking to regain control over a 2FA-protected account, both which sucks, but on different levels.

1. You write them, proving who you are, and they tell you to get lost unless you have the 2FA proper codes, or backup codes. This sucks because you still didn't get access.

2. You write them, proving who you are, and they give you access to your account, so you can reset 2FA. This sucks because this means the service is not secure and you/others can be "hacked" because customer support can be exploited.

I use KeepassXC password manager[1], it keeps my TOTP information and makes it available to use on all my devices. It syncs between my devices using Dropbox. Kepassium[2] makes it available on iOS, and Keepass2Android[3] makes it available on Android. It also manages my SSH keys and adds them to the ssh-agent, even on Windows. It houses a backup of my GPG keys. I even found that it can manage my credentials for use in scripts and git using git-credential-keepassxc[4].

Similar functionality can be had from 1Password[5], if you're into the more fancy experience. As a bonus this approach makes it very easy to store all those backup codes that totp services often give you. Won't help your current predicament but will prevent it from happening again :)

1: https://keepassxc.org/

2: https://keepassium.com/

3: https://github.com/PhilippC/keepass2android

4: https://github.com/Frederick888/git-credential-keepassxc

5: https://1password.com/

Always, always create a backup. Or three.

I carry a backup with me strapped to my wrist. It is a cheap digital watch with a strap modified to securely hold a microSD card with all my really important, must have data ---encrypted with Bitlocker. This data is as safe as I am.

I leave a copy of this card in a fireproof safe at home. A trusted family member has the combination. A friend has the Bitlocker decrypt key. My will brings these two people together to obtain access to the data in case of my demise.

Twice a month, I swap the two cards and update the one I will carry with only the changed info using a xcopy batch script.

My Android phone also has my 2FA keys using FreeOTP+ with an access code and backup capability.

I keep the backup from FreeOTP+ on the memory cards along with a little Windows CLI utility of my own making that can read this backup and generate 2FA codes as needed.

I'm fairly confident I won't ever be totally locked out of my accounts.

If you are locked out without a backup, your only realistic option is to contact each service provider and follow their instructions.

Not that this is of help to you now, but my own controversial take is, avoid any services that push 2FA. Especially if they do so aggressively.

This includes things like switching from github to sourcehut for me (though MS+copilot didnt help either)

For services where you cant avoid it (e.g. your company email), download a local OTP app, effectively converting back to 1FA, for each device you use to access that service.

2FA is a cancer and needs to die. Mandatory-phone-based 2FA doubly so. The only thing mandatory phone 2FA has done for me is it gives websites an excuse to make a phone a "necessary" field, so now I get spam/scam on my phone as well as my email.

If you have a backup, try to restore it on your new iphone. In the vast Google Authenticator didn’t restore, but I read it may now?

FWIW, this is the reason I use Authy, it works nicely with backup/restore. Beware that Authy has a cloud backup/multi device function that I personally keep off. Another option would be 1password, though I’d personally won’t mix passwords and 2fa codes in the same app.

Assuming the worst case where you can’t recover the codes, and assuming it course you never stored the offline codes, you have to go through the process of recovering 2fa.

This usually requires submitting documents that prove who you are, and waiting 1-2 weeks. So the only recommendation is to begin this process asap.

And while you re-setup 2fa make sure you either keep a backup or use an app that works when you backup+restore your phone, Im sure others will provide more options. Good luck!

Backups: you MUST have a backup! One thing I do is avoid proprietary apps like Google Authenticator and make sure I store the TOTP key separately so I can reconstitute my TOTP codes in another app if necessary. Backups are kept on a backup handset, on my computer, and in an encrypted volume in the cloud at a minimum. What's a little harder to deal with are the services/providers that insist on SMS 2FA (and not to a VoIP number).

I don't know if I can help OP but anyone reading this who uses Google Authenticator. PLEASE BACKUP AUTHENTICATOR on another phone. It is very easy. Here are the steps:

https://www.protectimus.com/blog/google-authenticator-backup...

You can back up your 2FA codes to another phone, at least Google Authenticator lets you do this. An old phone is the easiest, most convenient way to do this since it has a camera that you can use to scan the code on your main phone.

If you don't have the backup codes or the one-time codes, you're going to have a problem and you'll need to contact the services to somehow let you in or take off 2FA. Depending on what the service is, it might get very tedious.

The problem with backup codes is that many people don't understand how crucial they are if they loose their device. Even IT people. I believe it is a step many skips because they falsely believe they can get access in some other way if necessary.

That it has become standard makes me think the inventors/providers have not thought it through.

I've never trusted a single device for two factor authentification,

My solution, trust in 1Password and it's encryption, I have access to my 2fa anywhere I need but it a computer, phone, tablette.

Soon it will be passkeys and they'll be safe in the 1Password vault, no worrying about losing the device w/ the keys again.

I know it doesn’t help now, but next time use Authy instead of Google Authenticator. It can sync to multiple devices. I have it synced to my laptop so if I lose my phone, I still have Authy on my laptop with all 2FA.

Funny you should ask - a while ago I had the screen and battery replaced in my phone, so I did a factory wipe.

Little did I know, backing up the Google Authenticator app doesn't preserve the config, so all my codes were gone.

Apparently most services don't mind and will let you disable MFA via email confirmation.

One notable and unlikely exception was OVH - luckily I had backup codes, so I didn't have to present them my id.

You know the big black bold huge warning you clicked through to active 2fa? The one that told you you really really needed to save backup codes? The one that said you will lose your account without said backup codes?

You do have those backup codes, right?

Backups, password managers, now 2fa backups, all things that people just cannot seem to care about until it's too late

Google Authenticator is the worst, last time I used it. Too often my 2FA codes would not remain after updates. And when it did remain, it would not transfer to new phones.

iPhone has a built in 2FA code generator.

HTTP://TOTP.app is a web app that stores 2FA codes. Awesome to use. But you have to remember to download and back up the codes stored in TOTP.

Microsoft Authenticator used to be my favorite because it would sync phenomenally well.

In the following order, I would rank the 2FA code generators:

1. iPhone (especially if you are using iCloud password manager).

2. totp.app (you can use it even on desktops and every device you possibly have)

3. Microsoft auth (it only backs up to iCloud on iPhone. On android it backs up to an MS account. Can’t be used on desktop).

Depending on the service, you have locked yourself out of that service. I screenshot and store 2FA codes on paper because too often I lost my codes because of Terrible unreliable apps.

Hopefully you have recovery codes for all these accounts. With that said, I don't like to rely on these recovery codes bc of some horror stories. Alternatively when setting up 2FA, you can for example: - use Authy bc it syncs tokens in the cloud and so you can recover your 2FA tokens on a new phone based on your phone nbr. I used to do that but have stopped bc Twilio (owner of Authy) is slowly retiring the product. - Keep a copy of each token when you set up 2FA. I keep an encrypted disk image with a list of my 2FA tokens. Yes, it weakens a little bit the security. But I sleep well bc I won't lock myself out in case of trouble. It's a trade-off I embrace.

When you enable 2FA you are on pretty much every service asked to download recovery-codes, and save them somewhere safe. Did you do that, and if not, why not?

Also: Didn't you backup the 2FA codes somewhere else where you can "sync" them in?

I use Bitwarden Authenticator for 2FA (part of Bitwarden Pro) and it syncs my 2FA codes to all devices where I log on to Bitwarden. That way I avoid a single point of failure. Consider that the next time around :)

As a meta-comment on this thread itself... That even people here on HN can enable and make use of 2FA incorrectly is the reason it will never be a viable way to protect accounts for "everyone and their grandmother".

It's too complex, and we need something better.

Unfortunately google authenticator is a bit user-hostile and doesn't offer backups, Aegis is a nicer alternative that does, I would recommend using that or something similar as you set things back up.

This is a complex problem. I considered this for many hours.

How does one securely restore their secure measures once their devices are lost?

Assume you lost your phone, laptop is also gone and your house burned down and your papers are gone with it.

I personally symmetrically encrypt my ssh keys and send them to my wife every six months or so. I also send them to a burner gmail account I use basic password auth with.

In a chaotic moment I can just ask my wife to download the file from her email and I can decrypt and ssh into my server where I store all files and important things encrypted.

Keep hard copies... Share an export from an app like Aegis

Google's doesn't have an export AFAIR. If rooted you might be able to import to Aegis.

Oh right, an iPhone. And you lost the phone? You're screwed

You can only try to to get the 2FA removed, but for AWS this process is hard, others might be OK... Or unreachable, like Google. Ive been through this, but luckily kept backups in another accounts, just had a hard time remembering the password under stress. My devices were stolen from my home.

This same thing happened to me with Discord once, I just wrote to them and filed a complaint saying my account got "hacked" and that the hacker changed the 2fa mobile number.

With adequate proof and justification I think you should be able to get back your accounts, that is if your service does allow you to get back your account. One tip is to have multiple phones for 2fa and then just not using the other phone, if you don't use it how can you lose it? (that's what I did since I lost it once).

This is what the recovery/backup codes are for. Unless you have saved them somewhere i would assume you have lost access unless each service has a support path for you

I have 3 phones, my primary phone and a couple of older phones. The older phones are not connected to the internet.

I always register new authenticator accounts on all 3 of them.

Not a solution for the OP, but to anyone else reading: do not set up 2FA with a single point of failure. If you lost any one thing, would you be locked out like the OP?

If you have to use TOTP codes be religious about saving your backup codes. Otherwise, using multiple security keys means you can recover from losing one, with the bonus of phishing protection (since they can't be tricked into supplying your codes to the wrong domain).

This is crazy haha. I literally just left my phone in a cab(tuktuk) in Costa Rica a couple weeks ago.

It was in my hand one second and then I got out and it wasn't.

I've had to contact each organization I have 2fa with and get 2fa reset through personal identification measures.

For my company that meant a quick zoom call. For banking that meant driver's license scans and photos of me.

You'll have to work with your 2fa providers.

When setting up 2FA, the services typically give a list of recovery codes which you hopefully still have. With those, you can gain access and link other 2FA devices.

If you have the recovery codes and got access again, then you can get a bit more redundancy in your system by also setting up security keys such as a Yubikey. These keys can be added next to your authenticator app(s).

I right-click / "Save Image As..." on the image with the QR code, and store all the images in a directory so I can re-import them as needed.

Low-tech compared with all the other suggestions here, I should look into how to extract/store the actual seed values instead, etc... but it works for me and has done for years.

Use a 2FA app that backs up to iCloud or syncs to another copy of itself somewhere.

Google authenticator is great, until it wipes out all your entries. It did that a few years ago for reasons unknown, so I moved to 2STP (which is now unavailable).

Also, the app you use should have an apple watch app, so at least if your phone dies you can use your watch to authenticate.

Happens all the time when I get a new phone because for some reason Auhenticator (MS) never transfers the authentication codes while setting up new iPhone (just why?).

Providing any services that I don't have backup codes with identity documents solve the problem. Never had issue with any service but it's annoying.

Unfortunately not unless you have recovery codes.

You can prevent this for the future by pretend you can read the QR codes and getting the secret string allowing you to set up across multiple devices.

Your best best would be contacting support for individual accounts and hoping you have enough historical information to be approved access.

If you don't have backup codes most companies have a manual flow to regain access. It's a pain, but to be honest I prefer it that way instead of leaving more vectors for social engineering to compromise my accounts.

I think you have iPhone backup on icloud. If you get your phone number back, you can unlock your life again.

The solid way to do it is to have a backup, like another second factor enrolled and stored in a safe place. Or to have recovery codes.

Without those options, now that you lost the only second factor, you have to reach out and convince the service providers that you're you. Good luck.

As specified when activating MFA, did you download (and print) your backup codes? If so, use them to re-enroll a new device into MFA.

If not, you can try reaching out to customer service after you get a new SIM card.

For banking and everything else IRL, you can just walk up to the teller with your ID.

For the services that don’t allow their keys to be included in the backup this is a common occurrence and they will probably have a support system that will allow you to reset the authentication. Which makes 2fa worthless theatre but that’s reality.

If you have lost your phone, you will need to contact your authentication provider to disable 2FA on your account. Once you have regained access to your account, you will need to re-enable 2FA.

Can't you get the seed values out of Google's Authenticator (which is TOTP?)? I would put these somewhere safe--rather than save a bunch of backup codes.

If you’re reading this and don’t have backup codes for Google auth stored somewhere offline then this is your wake-up call to do it now.

I use Step Two which also has a Mac app, that also does sync to iCloud.

Not a single point of failure.

Using an auth app that supports encryted cloud backups, like bitwarden, ms auth, etc

iOS password area of settings also handles verification codes. They are synced across all of your devices. So if you always leave one device at home then you can’t get locked out losing your phone.

> "Is there a recommended way to go about this problem?"

Restore the backup of your phone which you have locally in iTunes, or in iCloud.

(And, before you lose it, take a backup)