How to unlock multi-factor authentication when locked out

Multi-factor authentication(Opens in a new tab) (MFA) is simply the best thing you can do to prevent the bad guys from accessing your accounts. But what happens if you lose your security key, delete your authenticator app, or lose all your devices and can’t prove who you are? It’s a nightmare scenario, but don’t panic! Here’s what to do when that bad dream comes true.

What are the three types of multi-factor authentication?

Before we get down to business, let’s first look at what MFA is and why you should be using it.

MFA (sometimes called two-factor authentication or 2FA) isn’t just about using more credentials to sign in. In the world of authentication, there are three ways to identify yourself:

  • Something you I knowas a password.

  • Something you issuch as a fingerprint or other biometric feature.

  • Or something you I havesuch as a hardware security key.

Do you want to face this difficult situation? PCMag’s Max Eddy has tips here. (Opens in a new tab)

The traditional username and password authentication system is only one factor (which you know), but multi-factor authentication combines at least one other factor. That way, even a bad guy who knows your password won’t be able to access your account because he doesn’t have the other factor necessary to do so.

This isn’t just theory either. When Google required hardware security keys among its employees, account takeovers were effectively abolished(Opens in a new tab).

The most common way to do MFA is to receive a one-time code via SMS. However, SIM slot(Opens in a new tab) and other bad-type techniques means this is the least secure way to do an MFA. Instead, we recommend using an authentication app(Opens in a new tab) which generates one-time codes on your phone or a hardware security key(Opens in a new tab) log in to verify your identity.

Having weak MFA is better than no MFA at all, so if authentication apps are too confusing and security keys are too expensive, enable SMS codes. However, we encourage you to explore alternatives.

What to do when you are banned from MFA

A legitimate concern with MFA systems is that you might lose your security key, accidentally wipe your authenticator app, or have your phone stolen and be unable to receive SMS codes. Without access to MFA options, you may be locked out of your account(Opens in a new tab) forever.

Fortunately, there are a few things you can do if you find yourself locked out of an MFA-secured account: use a device that’s still connected, use an MFA alternative, or contact customer support. Below, we analyze all three options in detail.

What are your other MFA options?

Many websites and services that support MFA also require you to enable more than one. Apple, for example, requires you to enroll two security keys if you choose to use this MFA option to secure your Apple ID. If you’ve enabled SMS codes, authentication apps, or security keys in addition to your MFA method of choice, you might be able to use one of those.

If another MFA option is available, you’ll usually see a link when signing in that says something like “verify your identity in another way” or similar.

Sometimes, you may not have enabled another MFA method on purpose, but the website or service has another option available. For example, the company may be able to send you a one-time SMS code using a phone number they have on file, or even a push notification to a trusted device.

Where are you still online?

If you are still signed in to the website or service on a different device, you may be able to change your MFA settings and regain access to the account. While this can work with a desktop or laptop computer, your best bet is with a mobile device where you have the service’s app installed. Apps tend to stay connected much longer than most websites you visit.

If you can find a place where you’re still signed in, look for your MFA settings. Once you find them, disable MFA or add a new MFA option I am doing I have access to. This can be a different security key, SMS codes or an authentication app. Most of the time you’ll need to present your password when changing your security settings, so make sure you have it handy.

While you’re exploring this option, be careful not to log out of the service or app until you can regain full control.

Contact customer support

If you’ve exhausted your MFA options and are sure you haven’t signed in anywhere else, it’s time to contact customer support. Some companies may have an automated system to verify your identity and get you back into your account fairly painlessly.

Other services are more stringent, sometimes requiring you to provide additional proof of identity such as a driver’s license. In this scenario, it may take several days or weeks to access your account.

Start fresh

In some cases, however, it may not be possible to regain control of your account, either because you do not have the proper materials to do so or because the company’s internal systems are designed to prevent account takeover at all costs—yet and if it means that some legitimate users are blocked.

In these cases, it may be time to start over and create a new account. If you end up going this route, make sure you get in touch with customer service first. Even if you can’t access the old account, you may be able to delete it and replace it with a new account. At the very least you’ll want to notify the company so a seasoned identity thief can’t take control of the abandoned account later.

How to avoid getting blocked with multi-factor authentication

Once you’ve already been locked out of your account, your options for regaining control are limited and can vary greatly. Give yourself the best chance of maintaining control of your account by taking the time to set up some authentication contingencies.

The easiest option is to enable more than one MFA option if the account supports it. Again, we recommend avoiding SMS codes if you can. If you have multiple MFA options enabled on an account, you can use an alternative if your primary means of authentication is unavailable.

Also enable recovery codes if available. This feature is sometimes heard by other names such as backup codes the recovery keys. Whatever it’s called, the idea is the same: a long string of text characters that can unlock your account when all else fails. You’ll want to keep it somewhere safe, as it could be used to take control of an account away from you. Consider writing them down in a safe place. If you choose to store your backup passwords digitally—as a secure note in a password manager, for example—make sure they’re encrypted and that the service you’re storing them on has MFA enabled.

If you use security keys, consider getting a second key and enrolling it as a backup to the first key. Many services will allow you to register multiple keys for exactly this reason, and Apple requires it if you want to use security keys with your Apple ID. If you decided to upgrade to a new security key, keep the old one as a ready backup.

Some authenticator apps back up the data they generate code so you can easily move from device to device without the hassle of rewriting your authenticator app on every site and service. Some go even further by storing code-generating data in the cloud so you can generate codes on multiple devices at once. While we think backups are good, being able to generate passwords on multiple devices at the same time poses some security risk.

Don’t be afraid of multi-factor authentication

Enabling MFA can seem like a huge commitment, and a little scary. Besides, if it can keep the bad guys out, it can last you out too. However, using MFA will make your accounts more secure, and the risk of permanent ban is relatively minimal for most accounts. With a little preparation, you can ensure that never happens. So don’t wait: enable MFA wherever you can.

Keep in mind that MFA is only one part of the equation. Up to passwords(Opens in a new tab) If passwordless authentication becomes mainstream, you’ll need to use a unique, complex password(Opens in a new tab) for each website and service. A password manager(Opens in a new tab) it will do a much better job of inventing and remembering passwords than any human, so use one along with your MFA system of choice.

Finally, if a bad person has unrestricted access to your computer or mobile device, even the best authentication systems will fail. We strongly recommend using local anti-virus software(Opens in a new tab) to prevent attackers from gaining a foothold on your machines.

This article originally appeared on in a new tab), Mashable’s sister site. in a new tab) is a leading authority in technology, providing independent, lab-based assessments of the latest products and services.

Leave a Reply

Your email address will not be published. Required fields are marked *