Getting into your account without your phone.
That’s a summarization of a question I get frequently.
The problem is that telling Google your new number requires you to be signed in, but you can’t sign in because the verification is going to your old number. It’s a vicious circle.
I have to tell you that depending on a few factors, you may not be able to get in.
Let’s look at what straws we can grasp at.
Become a Patron of Ask Leo! and go ad-free!
Possible alternate verification options
- Use a hardware security key that you set up as part of two-factor authentication.
- Use a one-time security code provided by another signed-in device.
- Confirm on a signed-in phone or tablet.
- Get a security code on a signed-in phone or tablet (even if it’s offline).
- Get a code from the Google Authenticator app.
- Get a verification code sent to a recovery email address.
- Get a verification code sent to a mobile phone.
- Enter one of your pre-saved 8-digit backup codes.
- Try Google Account Recovery.
Preparation is key
Google is going to want something that’s been set up, signed in, or configured before this situation arises. Normally, that means adding your phone number and keeping that number up to date.
Of course, if you’ve lost your phone or have changed numbers without updating the information in your account, that’s not going to work.
Fortunately, Google offers many additional ways to confirm your identity.
Important: Not all of these options will be available to you in all situations (and there may even be others). Exactly which Google chooses to make available is unclear, and may vary depending on the characteristics of your account, or whether you’re following the “forgot my password” or “lost my two-factor device” path.
Several of these options require configuration prior to needing them. If you have not configured them for your account, they probably won’t be listed.
Even if you don’t have two-factor explicitly enabled, Google’s security may require this additional level of confirmation at times. This is, essentially, two-factor authentication as well.
Let’s look at the options.
Account verification options
Use your Security Key
This only works if you’ve previously configured the YubiKey with your account and you have it with you. I’ve assigned a YubiKey to my account, and yet not having it with me is the most common scenario I run into myself.
Get a one-time security code
You can use a hardware security key to sign in to your account on one device, and then use that device to get a code allowing you to sign in to another.
This scenario assumes you can’t use your security key on the device you’re trying to sign in to. Perhaps the USB ports are broken; perhaps you left that key at home. By using a different device (and perhaps a trusted family member at home), you can use your ability to sign in one place as a way to validate the other.
Confirm on your phone or tablet
If you are currently signed in to Google on a mobile device1 or a tablet, Google can send a message to that device, asking you to confirm your sign in on the current machine.
Naturally, this only works if you are currently signed in on another device and can respond to the confirmation prompt.
Use your phone or tablet to get a security code (even if it’s offline)
This one surprised me. I suspect this works only for Android devices, but if you’re signed into the same account on one of those devices, you’ll be given instructions to retrieve a log-in code from one of those devices.
Next, your device presents the codes you can use to confirm your identity.
That this works even if that mobile device is not connected to the internet might be a lifesaver, especially when traveling.
Get a verification code from the Google Authenticator app.
This also requires no connectivity on your mobile device, but does require you’ve set up two-factor authentication with the Google Authenticator app beforehand. Other compatible apps, such as Authy, also work.
On the device running the authenticator app (which can even be the PC on which you’re attempting to sign in, if it is running the desktop version of Authy), you simply type in the currently displayed code for your account.
Get a verification code at an email address
Google will email you a code to one of your recovery email addresses. Your ability to provide that code proves you are who you say you are — or at least are the person who set up the recovery email addresses — and should be allowed into the account.
Email addresses aren’t always included in the list of options (they’re not present above, for example).
Note: you can have more than one recovery email address associated with your account. The example here shows four. If you lose access to one, you can have the code sent to any of the others.
Get a verification code via mobile phone.
This is the very problem that got us here. Google will text a code to your mobile number of record.
Note: you can have more than one number associated with your account. If you lose access to one, you can have the code sent to the other instead.
Enter one of your 8-digit backup codes.
With two-factor authentication enabled, any time you’re signed in to your account you can have Google create and display a set of backup codes for you to use in an emergency.
Each can be used once –, in lieu of your second factor, or when you need to provide additional security assurance to Google that you are who you say you are.
If you use two-factor authentication, I strongly recommend getting and saving those backup codes somewhere safe.
If you’re not using two-factor authentication — if the additional security two-factor provides isn’t enough to convince you — it’s almost worth turning it on so you can have these codes available should you ever need them.
Google warns that this process can take several days. What they don’t say is that it may not work.
The process encourages you to try some of the options we’ve already discussed as faster ways to get into your account.
If those won’t work for you, Google will ask a series of questions, and … get back to you. Carefully answer those questions as clearly and as completely as you can.
If you’ve provided sufficient information, eventually you’ll be provided a means to access your account and reset your password.
If you’ve not provided information that Google sees as sufficient to prove you are the rightful account owner … you’re out of luck. This is not uncommon.
What’s frustrating to folks in this position is that exactly what Google considers “enough” is never stated. This is on purpose, so as to prevent malicious hackers from beating the system. That’s why I emphasize being careful, being clear, and being complete when you answer the questions presented.
If everything fails
If none of the confirmation options provided by Google work for you…
if you’ve not set up the alternate and recovery information for your account…
if the account recovery process covered in the last step fails…
… then I know of no way to get back into your account. For all intents and purposes, it is no longer your account.
This is why I harp on setting up account recovery information, and enabling two-factor authentication before you need it, so you’ll never find yourself in this situation.
Footnotes & References
1: I’m assuming this works across Apple devices as well as Android.