If your device with 2FA (two factor authentication) is lost, broken, or stolen, you should and most likely have to change your passwords, set up 2FA again, and get new verification codes.[1]
In other words, you should and most likely have to start from scratch again due to the way 2FA works (although you can use the same email).
You should because you compromise your security when you lose your device (because 2FA functions on a device, even without the internet).
You have to in some cases because, without backup codes for every account, there is no way to recover your 2FA.
TIP: It isn’t enough to just have one backup code, for example, the backup codes you get when you set up Google 2FA. To fully recover your 2FA, you need to have the backup codes of each account you set up 2FA on. This code is a security token that is a string of numbers and letters and/or a QR code. It is the code you use to set up your 2FA when you turn it on for a given account.
Given the above, it can be smart to always install 2FA on more than one device (you can export each account with Google Authenticator to do this, for example), to save the backup codes you get when you set up your 2FA, or to use a service that lets you securely store your codes in the cloud (for example Google Authenticator offers cloud-based backups). All of these tactics will help speed up the process if a device is lost, broken, or stolen. Although remember, if it’s stolen or lost, you should start from scratch since someone might have access to your codes.
With the above in mind, recovery is easier with some 2FA types than others. There are basically two different types of authenticators. Those that you can’t recover if you lose your device, and those encrypted on a cloud that you can.
If you can recover your 2FA, then you can go through the recovery steps.
With 2FA, however, part of the security comes from the 2FA app being device-specific. Given this, some 2FA options won’t offer cloud-based backup. For these, the only way to add the same 2FA with the same codes to another device is to have your backup codes or to back up your codes.
When you first generate your 2FA you get a security token / QR code you can use to create your 2FA, and you get backup codes. You’ll want to save both of these for account recovery (and yes, that means taking a screenshot of the QR code to use later).
Further, every time you set up 2FA on another account, you get a security token / QR code and often backup codes which you can save for account recovery later.
If you have saved all of these, either when created or via exporting them, you can use the tokens and backup codes to re-create your 2FA. If you didn’t, you can’t.
Also, you can transfer your codes to a new device, for example, you can transfer your Google Authenticator codes. This is one way to have more than one device with the same codes.
With that said, as noted already, if you lost your phone or had it stolen, you compromised your security… and that means you should set up new 2FA on all your accounts anyway.
Still, having the backup codes/keys can make that process easier, as you won’t have to contact support for every platform with 2FA to have it reset. You can reset it yourself.
Even better, if you have 2FA on more than one device, you can quickly switch everything to a new 2FA after losing your device without having to deal with backup codes.
TIP: Especially with device-specific 2FA, where your info isn’t recoverable via a cloud-based service, the most important part of account recovery isn’t your main 2FA account. It is the security tokens / QR codes / backup codes you get when you set up 2FA on a given account. You can actually use those codes to access your accounts with 2FA on them, even if you can’t recover your main account. So, for example, if you have Google 2FA and then use it to put 2FA on Facebook, it is the Facebook security token that is the most important code to store for account recovery. Still, if you want to get everything back just the way it was, it makes sense to save all your tokens and codes for your main 2FA account too.
TIP: Always store important information offline in a secure format. For example, an encrypted USB drive is a good tool for storing important information like security tokens offline. You can even disconnect from the internet when you connect it to your computer for extra security.
Article Citations
- Common issues with 2-Step Verification. Support.Google.com.
As a cybersecurity enthusiast with a deep understanding of two-factor authentication (2FA) and its intricacies, it's crucial to address the potential risks and recovery processes associated with the loss, breakage, or theft of a device configured with 2FA.
The article emphasizes the importance of taking immediate action in such scenarios to maintain the security of your accounts. Here's a breakdown of the concepts discussed in the article:
-
Recovery Process:
- When a device with 2FA is lost, broken, or stolen, changing passwords and setting up 2FA again is recommended.
- Starting from scratch is often necessary due to the nature of 2FA, even though the same email can be used.
- Security is compromised when the device is lost, as 2FA functions on the device itself, independent of internet access.
-
Backup Codes:
- Lack of backup codes for every account may make 2FA recovery impossible.
- Merely having one backup code is insufficient; each account's backup codes are essential for full recovery.
- Backup codes are alphanumeric strings or QR codes used during 2FA setup, serving as security tokens.
-
Multiple Devices and Cloud-Based Backups:
- Installing 2FA on more than one device is advisable.
- Exporting accounts with Google Authenticator allows for 2FA on multiple devices.
- Services like Google Authenticator offer cloud-based backups for codes, aiding in faster recovery.
-
Types of Authenticators:
- Two main types of authenticators: those that can't be recovered if the device is lost and those encrypted on a cloud for recovery.
-
Recovery with Backup Codes:
- Recovery is easier for 2FA types that allow backup code usage or have cloud-based encryption.
- Backup codes and security tokens/QR codes are crucial for account recovery.
-
Transferring Codes to a New Device:
- Transferring 2FA codes to a new device, such as Google Authenticator codes, is possible.
- Despite the transfer option, losing a device compromises security, necessitating new 2FA setups.
-
Account Recovery Priority:
- In device-specific 2FA, the focus should be on securing security tokens/QR codes/backup codes for individual accounts.
- Storing these codes offline, like on an encrypted USB drive, enhances security.
-
Tip for Enhanced Security:
- Always store important information offline, such as on an encrypted USB drive.
- Disconnecting from the internet when using the drive adds an extra layer of security.
-
Citation:
- The article refers to common issues with 2-Step Verification on support.google.com as a source of information.
In summary, the article underscores the importance of proactive measures, including multiple backups and secure storage, to ensure a smoother recovery process in the event of a lost or compromised device with 2FA.
