Two-Factor Authentication: What If Your Cell Phone Is Not Working or Lost?
What is Two-factor authentication (2FA)?
Two-factor authentication (also known as 2-step verification, multi-factor authentication, etc.) makes signing into an account more secure (and as a result, more effort) by requiring you to provide additional verification that it’s really you when you’re signing in. A wide variety of online vendors offer it as an option (and some go further and require it), including email accounts, banks, credit cards, investments, medical patient portals, insurance companies, shopping, social media, education, entertainment, backup, utilities, subscriptions, online storage, and more.
The most common online “second factor” is a randomly-generated “authentication code” or one-time password (OTP). This is typically a 4- to 8-digit number that you are required to type in, usually after entering your username and password. For your security, it usually also expires after 10 or 20 minutes (making it a time-based OTP or TOTP), and can be sent to you:
- In a text message (or notification) to your cell phone.
- In a robotic voice call to any phone of your choice.
- In an email message, which you might access on a computer or mobile device.
- In an “authentication app” on your computer or mobile device.
- Via a “security token,” a small physical device that you would carry with you.
There are also many other verification methods, including tapping on an “Allow” or “Trust this device” button that would appear on your iPhone, iPad, or Android, providing a fingerprint or a view of your face or retina, etc.
2FA technology increases your security, but it’s also not perfect. There are a number of simple things that might go wrong, including:
- Your cell phone isn’t working (the battery might be run down or you can’t get a signal), or is lost, misplaced, or stolen.
- Your device can’t read your fingerprint or see your face or retina clearly.
- You’re using someone else’s computer, not the one you normally use.
- You’re an authorized person (assistant, bookkeeper, attorney, guardian, caregiver, or another type of “third-party” user) trying to sign in to an account with the permission of the account holder (who might be busy, traveling, disabled, or deceased) and you don’t have access to any of their second factors.
The general solution
Whether you choose to add 2-factor authentication to improve the sign-in security for a particular account or whether you’re forced to set it up by the vendor, I recommend that you review all of the options (and their consequences for you), including:
- What are your verification choices? Will they send codes to you via text message, voice call, or email? Can you use an authenticator app?
- Do they let you set up multiple methods? Multiple phone numbers? Multiple email addresses? Multiple devices, e.g., computer, smartphone, tablet, etc.?
- Which option(s) are best for you?
- What if your cell phone (or other device) isn’t available or working?
- What if something happens to you and someone else (who you know and trust) needs to sign in?
Once you set it up, I also recommend that you note your 2FA choices in your password chart, e.g., “Belmont Savings Bank: username A, password B, 2-factor codes go to my cell phone C via text message or to my landline D via voice call.”
Important security advice
Even though 2FA makes signing in more secure, you can still be tricked into compromising your security. For example:
- Don’t give any authentication codes (or any Google backup codes) to anyone you don’t already know personally and trust. Many hackers and thieves (who have already stolen your username and password) will pose as employees of your bank (or another vendor like Microsoft, Apple, etc.) and try trick you into doing that in order to gain access into your account and wipe out your life savings or steal your identity.
- Thieves may also trick you into clicking a link that will send you to a fake version of your bank (or Fidelity, Apple, etc.) website, which can then trick you into entering your username, password, and (once you receive it) authentication code, and then the thieves will use that to sign into your account using the real website and transfer out all of your money before you realize what’s happened.
- Hackers can intercept text messages (which were never designed to be secure), so even though it requires more effort on your part, whenever possible I strongly recommend that you choose the authenticator app option rather than getting authentication codes via text messaging.
- From what I’ve read, the Authy authenticator app (from authy.com) will work on any website that supports the Google Authenticator app. The Authy app also has other advantages over Google’s, including support for multiple devices (Macintosh, Windows, iPhone, iPad, and Android), support for computers (Google’s only supports one mobile device at a time), and a smoother process when you move to a new phone.
- Most bank, credit card, and other financial websites let you set up Alerts that can notify you (via email or text or both) about a wide variety of things about your account, including recent deposits and withdrawals, your current balance, payments due or received, etc. I recommend that you learn more about this and then activate any alerts that interest you. This will increase your security by keeping you better informed about the activity in your accounts. If it turns out to be too much, you can always turn them off later.
Other general advice
I also suggest:
- After successfully signing in using 2FA, many websites (including gmail.com) let you Trust or Remember the web browser you’re using so you don’t have to go through the 2FA process next time. Think carefully before choosing that option, especially if other people may have access to your computer, or if your mobile device might get lost or stolen. Since most websites do this by storing a “cookie” in your browser, bear in mind that the next time you clear all cookies in that browser you will also undo that choice for all of your websites.
- If you choose to use your cell phone for 2FA, set a passcode for it if you haven’t already. Many people whose cell phones have been lost or stolen have regretted not doing that after the accounts to which their phones had access were later compromised.
- If you choose to use your cell phone for 2FA, in case something happens to your primary phone, consider getting a spare, inexpensive cell phone that’s compatible with your current service. If you still have your primary phone you can usually move its SIM card to the spare, or you get another one from your carrier.
- If your cell phone belongs to your employer, then you run the potential risk of it getting wiped, not only if you leave that job but also because this can happen by accident. This is a good reason to only use such a phone for work activities, and to have a separate phone for your own personal use.
This problem (how to sign in using 2FA without a cell phone) came up with a client of mine. For many years she had only used her landline, so she decided to cancel her cell service. For technical reasons her Gmail account needed to use 2-step verification in order to work with an older email program on her computer, and upgrading her email software was not an option.
Luckily, Google’s 2-step verification has many options, including some that require a cell phone as well as some that don’t:
- Authentication codes via text messages sent to your cell phone
- Authentication codes via a robotic voice call to any phone number of your choice (cell, landline, VOIP, etc.)
- Passkeys: Use your fingerprint, face, or other verification options using a computer, mobile device, or a hardware security key
- A physical “security key” device
- Authentication codes via the Google Authenticator app, which requires an iPhone, iPad, or Android device
- “Google prompts”: Require an iPhone, iPad, or Android device, and which doesn’t generate any codes
- Numeric “backup codes”: Must be generated in advance and then stored in a safe place for future use
- Gmail does not currently offer the option to send its 2SV authentication codes via email, even if you have added a “Recovery email” address to your Gmail account.
- Using a Google Voice number as a virtual cell phone probably won’t work (if it belongs to the same Google account), since retrieving an authentication code would require signing in to Google Voice first, which would require that code prior to signing in (unless you are already signed in to that account in a separate web browser, computer, or mobile device at the right moment). However, if you have a second Google account, you could add its Google Voice number as a 2SV phone number in the first account.
In my client’s case, we chose to use Google’s backup codes. Here’s a brief summary of how they work:
- When you generate them, you’ll get a set of ten 8-digit codes.
- Store them in a safe place, since they let anyone (who also knows your Gmail address and password) sign in to your account without having to receive and enter an authentication code within 10 to 20 minutes.
- Each of those codes can only be used once, then it becomes inactive.
- If you’re signed in to your Google account, you can see a list of the remaining unused backup codes.
- You can generate a new set of 10 backup codes at any time, which also invalidates any previous codes.
- Changing your Gmail password does not affect any remaining backup codes.
- Turning off 2-step verification removes the ability to use backup codes and invalidates any remaining ones. If you later turn 2SV back on, you’ll need to generate a new set of codes.
Where to go from here
If this seems too complicated to do on your own, I recommend that you talk to someone you know and trust to help you.