How to Avoid Getting Locked Out When Using Two-Factor Authentication

Two-factor authentication secures your accounts with code in addition to your password. You can’t get in without the code sent to your phone. But what happens if you lose or reset your phone? If you don’t plan your recovery method ahead of time, you could permanently lose access to your accounts.

Here’s what you should do right now to make sure you don’t get locked out in the future.

Print Your Backup Codes and Store Them Securely

Here’s the most important thing you should do: Print out the “backup codes” for all your accounts and store them somewhere safe. These codes will allow you to regain access to your account if you ever lose your two-factor authentication method in the future. Keep them in a secure location.

When you set up two-factor authentication for an account, that website will often ask you to print out backup codes to ensure you’ll never lose access. If you didn’t print out any backup codes when setting up two-step authentication, you should do so now, while you still have access to the account.

For a Google account, these backup codes only work once each, ensuring that anyone who intercepts the code can’t log into your account with it afterwards. If you run out of codes, be sure to generate some more. You can print backup codes for your Google account from the two-step verification settings page. If you’ve set up two-factor authentication for any other websites, sign into your account on the website and look for information about backup codes under your two-factor authentication settings.

Use Authy (or Back Up Your Two-Factor Data)

When it comes to two-factor authentication, we prefer the Authy app to Google Authenticator or SMS. Authy allows you to sync your two-factor tokens between your devices. When you get a new phone, you can easily move your data to it. Or, you could share the data between a phone and tablet. Authy is compatible with Google Authenticator and works anywhere you’d use Google Authenticator, too.

Despite these sync features, Authy is still secure, as long as you use it properly. It can back up your tokens online so you don’t lose them, but these backups are encrypted with a password you provide so other people can’t access them. You can also enable or disable the multi-device sync feature, so you could just toggle that on whenever you want to add a new device and disable it afterwards. But that backup feature could help get you out if trouble if you ever lose access to your tokens, too.

Google Authenticator doesn’t provide you with a way to easily move your tokens to a new phone. But, if you’re using Android and prefer Google Authenticator, you can create a backup copy of your Google Authenticator app’s data using Titanium Backup and restore it on another phone. This requires root access.

Confirm Your Linked Cell Phone Number

Many websites where you use two-step authentication also allow you to provide a cell phone (or landline) number. They can send you a text message (or voice call) with a recovery code, and you can use that to override the two-step authentication and regain access to your account, if you can’t get in the usual way.

Be sure to check the phone number you have linked to your accounts. If an account doesn’t have your current number on file, you can’t use that phone number to regain access. If you get a new phone number, be sure to update it with the services you use so you won’t get locked out of your accounts.

Even services that provide backup codes will allow you to link a phone number, ensuring there are plenty of different ways you can gain access to your locked account, if you ever need to. As with backup codes, you’ll find this options in the account’s two-step authentication page. For example, for a Microsoft account, this option is available on the account’s Security settings page.

Ensure You Have a Linked Email Address

Some services also allow you to remove two-factor authentication via a confirmation link or code emailed to a linked email address. Ensure any email addresses you have on file with your accounts are current. If the service is linked to your main email account, this will be simple. But, if the service is your main email account, you might want to set up a separate backup email address for it—just in case.

You should log into any email addresses regularly, as companies like Microsoft, Google, and Yahoo reserve the right to delete “inactive” email accounts that aren’t logged into on a regular basis. You wouldn’t want to find that your email address was incorrect or no longer exists if you need it to recover your account.

Check Your Personal Information

You should also ensure any personal information you’ve provided to websites you use two-factor authentication with is correct. For example, you may be asked to confirm the answers to any security questions you previously set up, recite the birthday as it appears on your account, or confirm any other personal information the service has on file. If you gave the service wrong information because you just didn’t want to share your real personal details at the time, you may want to go back and correct it.


Always have a backup plan when using two-factor authentication. If you skip printing out backup codes and your phone is stolen so you can’t generate codes or get a recovery code via text message, you could be in trouble.

Image Credit: selinofoto/Shutterstock.com.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Twitter.