What Happens If I Lose the Phone I Use for Google's 2-Step Verification?
If you've done some research on the subject, you've probably heard security experts describing two-factor authentication (or 2-step verification) as a system that relies on something you know and something you have. This sounds a bit abstract, and to make it clearer, we'll use a real-world example.
You, like almost every Internet user, have a Google account. You're not willing to admit it publicly, but you're reusing your Google password on a few other websites, including an online discussion board that, unbeknownst to you, has left its user database exposed. Hackers steal it, and they now hold your login data. Knowing that people tend to reuse passwords, they are willing to try out the same credentials on other websites. If you haven't enabled two-factor authentication on your Google account, there will be nothing stopping them from logging in successfully.
If you have two-factor authentication (or, as Google calls it, 2-step verification) enabled, Google will see that your account is accessed from a new device and instead of letting the crooks in right away, it will ask for an additional code which will either be sent to your phone as a text message, or it will be generated by a mobile application.
In other words, two-factor authentication lets you in if you a) know your password and b) have the mobile phone that receives and generates the temporary passwords. We know already what you need to do if you forget your password, but what happens if you lose your phone and you have 2-step verification enabled. Does it mean that you will be locked out of your Google account?
Thankfully, Google's security specialists have thought of it, and it's not the end of the world. Here are your options.
Signing in from a trusted device
The goal of two-factor authentication is to make hackers' lives harder, not yours. That's why once you enable it, you can "tell" it which devices you trust, and it won't ask you for additional codes when you're logging in from them. Your home computer is among the trusted devices probably. Simply log in from there and turn off 2-step verification temporarily until you find or replace your phone.
Get a new phone
Your phone is not just a two-factor authentication device. You communicate through it, and you need it every day. Get in touch with your telecom provider, get a new SIM card and a new device. When it's set up, it will again act as a two-factor authentication device.
Use the backup codes
Upon enabling 2 step verification, Google will automatically create ten backup codes that can be used for signing into your account in case of an emergency. Obviously, they are accessible when you log in, so, if they are to work, they need to be stored somewhere. Printing them is one option, but you must make sure that they're kept well away from prying eyes.
Each code is good for one login only, and every time one of them is used, you are alerted about it via email. Still, keeping the codes safe is extremely important.
Use the account recovery form and hope for the best
This is the last resort. If nothing else works, you can do little more than filling out Google's Account Recovery form. It asks you different questions about your account and the way you use it. Based on this information, Google hopes to determine whether you really are the owner, and if it's certain that you are, it will let you in. Apparently, the process isn't entirely automated, and the reviewing is done by people. Because of this, Google says that giving you access back to your account could take several days.
It's a long, painful process, so make sure you've exhausted all other options before you go to the recovery form.
Overall, it's best not to lose your phone. Phones nowadays are full of sensitive data, and the risks associated with misplacing them aren't limited to the two-factor authentication system. Nevertheless, losing your phone doesn't necessarily mean losing access to your account. That's good to know.