
If your phone with Google Authenticator, Authy, or Microsoft Authenticator on it is lost, stolen, or broken, your recovery codes — the one-time backup codes each service gave you when you first set up 2FA — are your fastest way back in, and they should be your first move before trying anything else. If you saved them somewhere safe (not on the same phone), log into each account from a trusted device, use a recovery code to bypass 2FA, then immediately re-provision a new authenticator on your new or replacement device and generate a fresh set of codes. The genuinely dangerous scenario is losing the phone and the recovery codes together — that typically forces you into each service's manual identity-verification process, which can take anywhere from a few hours to several days depending on the platform, and for banking specifically, our banking 2FA abroad guide covers the extra steps financial institutions require. Getting a working phone and internet connection sorted first matters more than people expect in this situation.
Every major service that supports authenticator-app 2FA — Google, Microsoft, GitHub, most banks, Instagram, Coinbase — gives you a set of 8-10 single-use recovery codes at setup time specifically for this scenario. If you saved them (a password manager entry, a printed sheet in your bag, a note in a separate secure location), this is a five-minute fix: log in with your password, choose 'use a recovery code' instead of entering a 2FA code, and you're in.
The moment you're in, don't stop there — immediately go to security settings, remove the old authenticator, add a new one on your current device, and generate a brand new batch of recovery codes. The codes you just used are now one short and shouldn't be treated as still reliable; old codes that leaked or were reused are a common way accounts get compromised months later.
If the recovery codes were stored on the same phone that's now lost, stolen, or broken — a screenshot in Photos, a note in the Notes app — you're in the harder scenario that most 2FA guides don't fully prepare people for. Each service then requires its own manual identity verification process instead of a recovery code shortcut: Google typically asks for account recovery via a secondary email and device history questions, Microsoft has a similar flow, and services like GitHub or Coinbase may require ID verification or a support ticket with a multi-day wait.
This is also the scenario where password manager backup matters most — if your password manager (see our password manager setup guide for nomads) has its own separate 2FA or recovery method not tied to the same lost phone, you can often use it to at least access saved notes or secure documents where you might have a secondary copy of codes, even if the primary phone is gone.
Google Authenticator (the app, not your Google account) has no built-in backup by default unless you've enabled the newer Google Account sync feature — if that wasn't turned on before you lost the phone, every account using it needs individual recovery, one by one, no shortcuts. This is the single biggest reason we recommend switching away from bare Google Authenticator for anyone traveling long-term.
Microsoft Authenticator backs up automatically to your Microsoft account (if you're signed in within the app) and can be restored to a new device just by signing in, which recovers most Microsoft-linked 2FA instantly — but third-party accounts you'd added to the same app still need individual re-provisioning since Microsoft's backup isn't guaranteed to restore every third-party entry cleanly.
Banks and financial platforms treat a lost-authenticator scenario far more cautiously than social media or email, for good reason — and that caution translates into slower, more manual processes. Many banks won't accept a recovery code alone for account access and will instead require a phone call from a verified number, a video ID check, or in some cases a temporary hold on the account until identity is confirmed, which can take days rather than minutes.
If you're mid-trip and locked out of a bank account specifically, calling from a number the bank has on file (not a new local SIM) speeds this up significantly — set up call forwarding to a working number before this becomes urgent. Our banking 2FA abroad guide covers bank-specific quirks (some US banks still only support SMS 2FA, which fails entirely once a foreign SIM is in the phone) in more depth.
Authy is built differently from Google or Microsoft Authenticator — it syncs your 2FA tokens (encrypted) across multiple registered devices by design, so if you'd added a tablet or a second phone as a backup device before losing your primary phone, you likely still have working 2FA access on that second device right now, no recovery process needed. This is genuinely the most resilient authenticator setup for frequent travelers, which is why we recommend it over bare Google Authenticator for anyone spending more than a few weeks abroad at a time.
The tradeoff: that same multi-device sync is a slightly larger attack surface if someone gains access to your Authy account credentials directly, since it can pull your tokens onto a new device with the right verification. Authy mitigates this with its own PIN and backup password, which is worth setting deliberately rather than leaving default.
The setup that actually prevents this from happening again: print your recovery codes (not screenshot them) and store the physical copy separately from your phone and laptop — a hidden pocket in a different bag, or with a trusted contact back home. Store a digital backup too, but in your password manager's secure notes, not in your phone's default Notes or Photos app where it lives in the same device that's the point of failure.
Switch from Google Authenticator to Authy or a password manager with built-in TOTP support if you're traveling for extended periods — the multi-device backup alone eliminates the single-point-of-failure problem this whole page is about. And register a second device (an old phone, a tablet) as a backup authenticator wherever the service allows it — most do, and almost nobody does it until after the first lockout.
If you're locked out right now and the manual recovery process feels overwhelming from a hostel WiFi connection, we can walk through it with you account by account.
A technician helps you work through recovery codes, service-by-service re-provisioning, and secure backup setup so it doesn't happen twice.
Book a remote fix — $149.99You'll need to go through each service's manual identity verification process individually, which varies from a same-day email/device-history check (Google, Microsoft) to a multi-day support ticket (some crypto exchanges and banks). Start with whichever account is most urgent, usually banking or email, since email recovery often unlocks other accounts faster.
Yes, once you're back into an account (via recovery code or manual verification), go straight to security settings, remove the old authenticator, and add a new one on your current device — don't wait, since an old authenticator entry tied to a lost phone is a security gap until it's removed.
Yes, if you registered more than one device or enabled Authy's encrypted cloud backup, your tokens can be restored to a new device with your Authy password and PIN. This is the main reason we recommend Authy over bare Google Authenticator for long-term travelers.
Financial institutions apply stricter identity verification because the stakes of a fraudulent takeover are higher, which often means a phone call or video verification instead of a simple recovery code. See our banking 2FA abroad guide for what to expect bank by bank.
No — that puts them in a place (your email, your phone's messages) that's often accessible from the same compromised or lost device, defeating the purpose. A password manager's secure notes feature or a printed physical copy stored separately is safer.
Register a second backup device (an old phone or tablet) as an authenticator wherever the service allows it, and store printed recovery codes separately from your primary phone. Our pre-trip tech checklist includes this as a specific line item people usually skip.