2 min read 💡Today I Learned

You can get locked out of your Google account if Authenticator is enabled and you lose access to it, even if 2FA phone verification is set up. Make sure to save those backup codes!

TL;DR: I assumed that having a phone number set up as a 2FA method on my Google account would allow me to recover access if needed. However, it turns out that’s not the case if you’ve previously configured Google Authenticator.

Back in 2014, I enabled 2-step verification on a secondary Google account, configuring it with both Google Authenticator and a 2-Step Verification phone number to receive verification codes. Unfortunately, sometime in the past decade, I reset the Android device with the Authenticator app that generated verification codes for this account. While I likely received backup codes when I first set up 2FA, it seems I didn’t save them.

2-Step Verification and Authenticator enabled with a phone number (hidden)

Recently, when logging in with my username and password, I received a 2-step code via SMS to my registered phone number. However, when trying to launch a Virtual Machine on Google Cloud, I was prompted for a verification code from Google Authenticator. Without Authenticator, I had no way to generate a code, and I couldn’t remove Authenticator as a verification option. Every attempt to “try another way” only directed me back to Google Authenticator for verification.

At this point, the account is effectively dead to me, as privileged actions require an Authenticator code and I have no way to generate them. While I recognize that my own inaction contributed to this situation—and I’m fortunate it’s not a primary account I rely upon—it’s still frustrating.

I’m certain I received backup codes when I initially set up 2-Step Verification, and it was my own mistake not to save them. Still, I can’t shake the feeling that I’m completely locked out with no way to recover access, and it’s a bit surprising that having a 2FA phone number isn’t even a fallback option. I suppose the reality is that phone numbers are now considered an insecure verification method. Since I learned that SMS codes can’t replace all use cases for Authenticator codes, make sure you save those backup codes!

Sign in with password
Challenged for Google Authenticator code
No other verification option such as 2FA via Phone

You might also like...

Sep
30

🍕Quick Detroit Cheese Pizza

2 min read
Sep
28

How to Effortlessly Keep Files In Sync Across Apple Devices Using iCloud Drive Without SyncThing or rsync

2 min read
Sep
23

How to Set Up Last.fm Scrobbling with Spotify and Apple Music circa 2024

1 min read
Sep
22

How I Optimized My Development Workflow with Cursor Pro, ChatGPT and GitHub Desktop

7 min read
Sep
16

First impressions of macOS 15 Sequoia and iOS 18

3 min read