Two years ago, someone gained access to my Airbnb account and managed to book three different stays in Wroclaw, Poland, for the same four-day stretch in early August. Total cost to me: $863.70, all for a trip I had never wanted to take. (That said, Wroclaw does sound like a nice place to spend some time.)
Airbnb eventually sorted everything out, but nothing would’ve needed sorting at all if I had turned on 2FA in the first place. That way, the hacker(s) would’ve needed a special code sent to my phone before they could even think about getting into my account. Even so, 2FA still comes with a catch: Because many of us use our phones to verify our identities, we can too easily find ourselves scrambling when something happens to those devices.
“I use [2FA] for several important websites, including access to banking and other financial needs so my phone has become more important all the time,” reader Hobe Darbyshire wrote in an email to the Help Desk. “What happens if I lose my phone or it gets stolen?”
In situations like these, it can be hard not to think of the worst-case scenarios. Our advice? If you find yourself facing this problem, take a deep breath and work through the following steps.
Contact your wireless carrier
Lots of companies and services try to verify your identity via codes sent to you in text messages or in phone calls. (In my experience, this is especially true of banks.) That means regaining control of your phone number is crucial.
If you’ve lost track of your phone and are fairly sure you’re not getting it back anytime soon, your first step should be to contact your wireless carrier. Calling a customer service line is a good start, but if you can, we recommend going directly to a carrier store for more immediate help.
Once you have someone to help you, work with them to figure out the best way to get your phone number back. This can happen a few ways: If you’ve been paying for insurance, they can transfer your service to an older phone until you can sort out a more permanent replacement. Or maybe they’ll activate a new SIM card — the tiny chip tied to your phone number — so you can slip it into an older phone you have lying around.
If you’re fast enough, that should mean whoever has your phone won’t be able to receive incoming calls and messages meant to verify log-in attempts.
Use backup codes when possible
Some services allow you to create “backup” codes in case you lose access to your phone. Think of these as powerful last resorts: They’re generally designed to bypass other security methods and grant access to your accounts and information if your phone gets lost or stolen.
That said, these are not passwords. The services that offer these codes tend to give you a bunch (usually 10) at once, and each code can be used to unlock your account only once. (In other words, protect these codes as best you can.)
The downside? Broadly speaking, backup codes are pretty uncommon. Companies like Google and Twitter allow you to create them once you’ve set up two-factor authentication, and the government will let you do the same if you ever have to use Login.gov. Unfortunately, single-use backup codes seem less common among banks, which is usually one of the first things people fret about when their accounts are at risk.
Remotely lock that phone
Sometimes, services will try verifying your identity by sending a code in an email to an address they have on file. That can be convenient if your phone goes missing, since you probably won’t have too much trouble reading an email in a Web browser. But if someone managed to grab your phone while it’s still unlocked, those emails might be visible to them too.
If that lost device is a smartphone, there’s a quick way to prevent anyone from prying: Lock it down when you notice it’s missing. That will force whoever has your phone to punch in whatever PIN code or password you’ve already set up before they can access any of your data. Here’s how to do it.
For an Android phone
- Go to Android.com/find and sign into your Google account
- Select the lost phone
- Click “Secure Device” to lock the phone and sign out of the Google account
- Add an optional message and phone number for anyone who finds it
For an iPhone
- Go to iCloud.com and sign into your Apple account
- If you have access to another Apple device, type in the verification code. If not, click the “Find iPhone” at the bottom of the screen
- Click “All Devices” and select the phone you want to lock down
- Click “Lost Mode”
Once you get into these specific settings for your smartphone, you’re also given access to the nuclear option: remotely erasing your phone entirely so there are no juicy accounts and saved passwords for anyone to even pry into.
For Android phones, follow the steps above and click “Erase Device” instead of “Secure Device.” For iPhones, follow those same steps and click “Erase iPhone” instead of “Lost Mode.” No matter which phone you use, you’ll be asked to confirm your choice one last time before the remote wipe begins.
People tend to think about this option differently — some people like to erase their phones the moment they go missing, while others think of it purely as a last resort. Our advice: The moment you’re fairly sure your phone won’t make it back to you soon is the moment to really consider erasing it.
Help Desk: Making tech work for you
Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.
Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android
Ask a question: Send the Help Desk your personal technology questions.