How to Avoid Getting Locked Out by 2FA

Last updated on April 8th, 2023 at 03:42 am

A laptop with the text "Access Denied."
Image made by Safe Not Scammed using Canva.

Two-factor authentication (2FA) levels up your account’s security by requiring you to prove your identity in an additional way when you log in. But if you can’t complete that second authentication step, you’ll find yourself locked out of your own accounts, at least temporarily.

Unfortunately, getting locked out by 2FA is relatively common. According to a survey I ran, 40% of people have found themselves in this situation.

The risk of getting locked out of your accounts does not mean you should avoid enabling 2FA, however. That’s because there are simple precautions you can take to ensure you still have access to your accounts even if you have a 2FA snafu.

Precaution #1 Save your backup codes!

Backup codes

Write down these codes and keep them in a safe place.

If you lose your backup codes, you can visit your settings to generate new ones.

Okay.
An example of backup codes. Screenshot by Safe Not Scammed.

If something goes wrong with your 2FA, like you lose your phone and with it your authenticator app, backup codes can save the day.

Backup codes are one time use codes you can use in place of your usual 2FA method when logging in. They are issued by the site that you have an account with, e.g. Google, Twitter, Dropbox, though not all sites support them.

Many sites that offer backup codes generate them for you automatically after you turn on 2FA and will tell you to write them down or print them out. Others won’t generate them automatically, but will allow you to set them up manually.

In either case, you should be able to view your backup codes or generate new ones in the 2FA settings of your online account. Make sure you do in fact write them down or print them out and keep them in a safe place, ready to use in case you experience a 2FA emergency!

If you do need to break out your backup codes, you’ll first need to enter your username and password on the site you want to log in to. Then, when prompted to authenticate with your second factor, look for a link that says something like “Try another way.” Click on that link and you should be able to enter your backup code. Once you’ve done that, if the code is valid, you’ll be logged in!

2-Step Verification
To help keep your account safe, Google wants to make sure it's really you trying to sign in.

There was a problem.
Try using your security key again or try another way to verify it's you.

Try another way. Try again.
If you need to use a backup code, look for an option that say something like “Try another way.” Screenshot by Safe Not Scammed.

As backup codes are single use only and not a replacement for your regular 2FA method, you’ll then want to head to your 2FA settings, remove the 2FA method you no longer have access to, and set up a new one. If you’re running low on valid backup codes, it would be a good idea to generate a set of fresh ones as well.

Precaution #2: If you use an authenticator app, make a backup.

The Settings tab of the Authy app.
My account Accounts Devices
Backups (enabled)
Change Password
Click to change your password
Authenticator accounts
Authy backups are enabled! Image credit: Rebecca Lea Morris.

If you don’t have a backup of your authenticator app and you lose or break your phone, your 2FA codes disappear along with it. Fortunately, pretty much all authenticator apps give you a way to back up your data and save your 2FA codes in case the worst happens. 

The process of setting up and restoring backups is different for different authenticators, so you’ll need to look up the instructions for the specific app you use. If you use Microsoft Authenticator, you can check out my guide for a walkthrough. If you use Authy, you can read Twilio’s documentation on backups and sync. And if you use Google Authenticator, you can take a look at PasswordBits’ guide to backing it up.

Once you’ve prepared your backup, you’ll be ready for a 2FA emergency. For example, if you lose or break your phone, you can re-download your authenticator app on a new device and start the recovery process without breaking a sweat.

Precaution #3: If you use a security key, make a backup.

One YubiKey is plugged into an Android phone, while two YubiKeys are sitting on top of the phone.
My three Yubikeys. Image credit: Rebecca Lea Morris.

Losing your security key is bad news, as you’ve literally lost the key to your online accounts. And, unlike an authenticator, you can’t backup the data on a security key, meaning you can’t just buy a new one and restore the data from the one you lost.

However, most sites that support security keys allow you to set up more than one. This means you can set up a second key at the sites you use and store it somewhere safe as a backup. That way, should you lose your regular security key, you’ll still be able to use your backup to log in to your accounts. And when you log in, don’t forget to remove the lost key from your 2FA settings.

Precaution #4: Set up alternative forms of 2FA

Two YubiKeys sit on an Android phone with different authenticator apps installed.
You could enable security keys plus an authenticator app as a backup option. Image credit: Rebecca Lea Morris.

Many sites offer multiple different 2FA methods, including SMS, email, push notifications, authenticator apps and security keys. You can take advantage of this by setting up two (or even more!) forms of 2FA, such as an authenticator app and security keys. However, you should avoid using SMS-based 2FA, even as a backup, because it is neither secure nor private.

That way, even if you encounter a problem with one form of 2FA, you’ll still be able to log in using the other method. For example, if you set up an authenticator and security keys on your account and you lose your phone, you can still use your security keys to log in. Just remember to remove the 2FA option you no longer have access to once you log back in.

The takeaway

Being locked out of your own accounts because of a 2FA snafu can be scary and annoying. But it doesn’t mean you shouldn’t enable 2FA! By taking simple precautions, you can make sure any 2FA hiccups don’t cause you to lose access to your accounts.

Leave a Comment

Your email address will not be published. Required fields are marked *