Two-factor authentication, often referred to as 2FA, is an extra layer of security beyond just a password that helps protect online accounts from unauthorized access. It works by requiring two different forms of authentication when logging in – typically something you know (like a password) and something you have (like a code sent to your phone).
While 2FA provides important security benefits, it can also introduce challenges if you get a new phone number and can no longer access the codes being sent to your old number. Fortunately, there are usually ways to update your authentication methods or otherwise get back into your accounts.
Understanding 2FA and Why You May Need to Update It
Two-factor authentication works by combining two different factors:
- Something you know – This is typically a password that only you know.
- Something you have – This is typically a code generated by an app or sent via SMS text message when you log in. It’s sent to a device like your phone that only you have in your possession.
By requiring both a password and a code from your phone, 2FA makes it much harder for an unauthorized person to access your account, even if they manage to learn your password.
The downside is if you lose access to your phone number, you may get locked out by 2FA. Common scenarios include:
- Getting a new phone number – If you change carriers or phone numbers, your old number will no longer receive 2FA login codes.
- Losing your phone – If your phone is lost, damaged, or stolen, you won’t be able to receive codes to that number.
- SIM swap attack – Criminals may attempt to hijack your phone number by transferring it to a new SIM card. This reroutes your 2FA codes to them instead of you.
In these cases, you’ll need to either update your 2FA settings or use backup options offered by the service to get back into your accounts.
Updating 2FA When You Get a New Phone Number
If you got a new phone number, the simplest solution is to update your 2FA settings so codes are sent to your new number instead. Here are some tips for popular 2FA methods:
SMS Text Message Codes
Many services let you designate a phone number to send SMS text message codes for 2FA logins. To update this:
- Log into your account through the service’s website (if text codes are your only 2FA method, you may need to use a backup option like security questions to get access first).
- Find the security section and look for options to manage 2FA or multi-factor authentication settings.
- Enter your new phone number and save the updated settings.
- You should now be able to receive 2FA codes at your new number when logging in.
Authenticator Apps
Apps like Google Authenticator and Authy generate 2FA codes that refresh every 30 seconds. To update these apps:
- Install the authenticator app on your new phone (you’ll need to re-add all your accounts).
- One by one, log into service accounts via the website and re-scan the QR code to sync your new device.
- Delete the old authenticator app to stop codes going to your old phone.
The exact steps vary between services – look for options like “Add new device” or “Set up authenticator app” in your account security settings.
Hardware Security Keys
If you use a physical security key like YubiKey, simply plug it into your new phone. No further action should be needed. The keys work across devices.
Phone-Based Biometrics
Some services may authenticate you via fingerprint, face scan, or other biometrics registered on your phone. You’ll need to re-enroll your new phone’s biometrics in these services’ apps.
What If I Can’t Update My 2FA Method?
In some cases, you may not be able to update your designated 2FA method right away, such as if:
- You lost access to the old number before updating.
- The service doesn’t offer an easy way to change the 2FA number.
- You don’t have your new phone number yet.
When this happens, most services offer backup options to get back into your account, such as:
Recovery Codes
Many services generate a set of one-time use recovery codes when you first set up 2FA. Keep these codes safe in case you ever lose access to your primary 2FA method.
Security Questions
Answering pre-set security questions may allow you to temporarily bypass 2FA and login.
Email or Mail Verification
Services may email or physically mail you a code to help you get back into your account. This bypasses your phone number.
Account Recovery
You may be able to recover access by verifying your identity through options like providing an ID, answering history questions, or submitting a photo.
Trusted Contacts
Some services let you designate trusted friends or family who can generate a backup code to help you regain access.
Waiting Period
If no other options are available, some services make you wait a set period of time (e.g. 7 days) after attempting account recovery before 2FA is removed so the actual account owner has a chance to intervene.
Best Practices to Avoid Losing Access
To avoid getting locked out by 2FA in the future:
- Update your recovery information regularly, including backup phone numbers and secondary email addresses.
- Keep recovery codes and security question answers in a safe place.
- Link a hardware security key if possible for easy access across devices.
- Review 2FA settings on important accounts now to understand your options before you need them.
- Consider using authenticator apps instead of phone-based SMS or voice codes.
2FA is an important security tool, but also introduces availability risks if you lose access to your authentication methods. Following good practices can help ensure you stay in control of your accounts.
Frequently Asked Questions
How can I receive new phone-based 2FA codes if I don’t have my phone?
Without access to your phone, you won’t be able to receive 2FA codes via SMS text messages, phone calls, or mobile apps. Instead, use backup options offered by the service like security questions, one-time recovery codes, email verification, account recovery flows, trusted contacts, or waiting out a period of time.
What should I do if I’m locked out of an account with 2FA enabled?
First, try updating your 2FA number or authentication method if possible. If not, look for backup options in the service’s security settings. This may involve using recovery codes, resetting via email, answering security questions, submitting ID, contacting trusted friends, or waiting out a period of time before 2FA is disabled.
Can I just call my phone provider to get my old number back?
Unfortunately phone carriers will not typically reassign you an old number after issuing a new one. The old number will be recycled back into their pool of available numbers to assign to future customers. You’ll have to follow your accounts’ 2FA recovery procedures.
What if I can’t access my email for verification codes either?
Some services let you designate a backup email or submit identification by mail. Without access to the registered email, your options may be limited to security questions, trusted contacts, account recovery flows, or waiting out an account lockout period. Reach out to the service’s customer support for help.
Should I avoid 2FA given the risks of losing access to my accounts?
No, 2FA still provides important security benefits against unauthorized access by cybercriminals. Instead, focus on properly backing up and securing your 2FA methods, and understanding your account recovery options in case you ever lose access.
Conclusion
Changing your phone number can disrupt access to accounts protected by two-factor authentication. The best solution is updating your 2FA settings to your new number as soon as possible. If that fails, most services offer backup options to re-gain access such as recovery codes, security questions, trusted contacts, email verification, and identity verification flows. Following best practices around 2FA backups can help avoid serious account lockouts. While 2FA introduces availability risks, the significant security benefits against unauthorized access still make it worth using in most cases.