Multifactor authentication is a great security control that makes breaking into user accounts much more difficult. But what do you do if you lose your MFA device? You need to set up recovery methods in advance so that you will be able of doing this. Different SaaS providers offer different levels of convenience and security for these use cases. At work, your IT department will be able to help, so we will focus on services we use in our personal lives here.

Prepare for losing your device: set up your backup options

The most common MFA authentication patterns today involve using a cell phone:

• A text message (SMS) with a one-time code (this is probably the least secure MFA option)
• An authenticator app with either a one-time code, or a push notification

If you lose access to the phone, you will be locked out of your MFA accounts. There are two main ways to avoid this:

1. Download static recovery codes and store them in a secure location. These codes can be used to get access when your MFA device is lost.
2. Set up multiple MFA channels, so that you can use an alternative channel if your primary MFA device is gone. Make sure they don’t both depend on the same physical device.

Security Consideration

When setting up backup MFA methods, make sure you don’t set up an insecure method that will allow hackers to easily bypass your MFA step. One such option is to use e-mail for one-time tokens, if the same e-mail address can also be used for password reset. If your e-mail address is compromised, the attacker will have full access to your account.

Example 1: Google Account

Google offers multiple logon choices when you try to log on to your account, including passkeys (Google’s description). Setting up a passkey is a good idea, it improves security and usability at once.

Google offers many MFA options to choose from (I aborted the default way, and clicked “try another way” on the first MFA prompt screen). It allows you to use:

• A physical security key
• Use a one time code from another device where you are logged into your account
• Click “yes” to a pop-up on your phone
• Use your phone or tablet to get a one-time code
• Use your passkey

The SMS based option is blocked because more secure options have been configured. Most of these depend on my phone, so if I lose that one, I have much less options. I do have an Android tablet I can use as backup.

Example 2: Facebook account

A lot of people use Meta’s apps, including Facebook. Being locked out of a social media account is not a fun experience. I have created a demo Facebook account, and turned on MFA on this account using an authenticator app. Let’s say I have lost my phone, and need to log in. In the below picture I have entered my account’s e-mail address and password, and it is asking for a one-time code from my authenticator.

If you click the “Need another way to confirm it’s you?” link, you get two options:

• Approve on a device where you are already logged in
• Upload a government ID to get manual help to reclaim the account

You can also set up multiple authentication methods for MFA on Facebook (and most other big consumer sites). They also offer creating recovery codes that you can save for the rainy day when you lose your phone.

Now, let’s try to log in again and pretend we have lost the authenticator. We don’t get an option to use recovery codes, it looks like we still have to upload an ID to support. But: if you enter one of the 8-digit recovery codes in the field asking for the 6-digit one-time code, it works and you are logged in!

MFA Anti-Lockout Recipe

OK, so if you enable MFA without doing any preparations for losing your device, you will be in trouble the day your phone is lost. Here’s what to do:

1. Set up MFA with your primary method. Use the most secure option available that you are able to use.
2. Set up a backup MFA method. Try to avoid e-mail and SMS if you can.
3. Download and store recovery codes somewhere safe if offered in the app. The best place is probably a password manager.
4. Set up notifications for unknown logins, for example from new devices or new countries, if offered. This will help you react quickly if something unexpected happens.

Happy surfing without getting locked out of your account because MFA got in the way!