Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What if I Forget My Passwords If I Use Two-Factor Authentication?

Two-factor feels like it’s more complicated. But is it?

Two-factor authentication is different than passwords, but they both share important recovery steps if there's a problem.
Question: Everyone says to use two-factor authentication, but I’m afraid I’ll forget my passwords and be locked out of my accounts. What should I do?

You should use two-factor authentication.

Seriously, if forgetting your passwords is what you worry about, you should still use two-factor authentication.

Here’s the deal: the two aren’t related.

Become a Patron of Ask Leo! and go ad-free!


Passwords & Two-factor

Passwords and two-factor authentication are separate from one another and don’t add additional risk to one another. More important is that you set your account recovery information and keep it up-to-date so that if there’s a problem with either — two-factor or your password — you’ll be able to regain access to the account and address the problem.

Passwords are separate from two-factor

With or without two-factor authentication, you need to remember your passwords.

Two-factor doesn’t make that any worse or make that any better. If you don’t know your password — your “first” factor, if you will — you won’t be able to sign in. You’ll need to perform an account recovery and set a new password.

That’s unrelated to two-factor authentication.

A more related concern might be forgetting your passwords because you use a password vault. That happens, and it’s OK. I couldn’t tell you my banking password if I needed to. My password vault — LastPass — remembers it for me. I usually let LastPass enter it for me, but if I ever want to see it, I can examine it in my LastPass vault.

So if forgetting your passwords is your main concern, consider using a password vault. Bonus: it’ll let you use stronger passwords, and easily use different passwords across all your sign-ins.

Two-factor is separate from passwords

The more common question about two-factor authentication is what happens if you lose your second factor. For example, perhaps you lose the phone running your two-factor app or the phone that receives the SMS messages used in two-factor authentication.

The answer here is very much the same as that for forgetting your password: you’ll need to perform an account recovery, probably setting a new password, but then either disabling two-factor or associating a different two-factor authentication method.

But that common solution — performing an account recovery — exposes the common weakness. Fortunately, it’s a weakness that’s easily addressed. Unfortunately, many people don’t address it.

Make sure recovery will work

In both of these scenarios, the solution to forgetting or losing is recovery — specifically, using the “I forgot my password” recovery process offered by the service you’re attempting to sign in to.

That process typically involves sending an email to an alternate email address, or a recovery code to a specific phone number, or using a backup code, or something else.

As long as all those are in place, up-to-date, and working, there’s no problem. There’s the inconvenience of a few additional steps, but you can get your account access back quickly.

The problem is that many people either don’t set them up or don’t keep them up to date. The recovery email goes to an email address they no longer have access to. The recovery code goes to a phone number they stopped using long ago. They never saved backup codes, or forgot where they put them.

You get the idea: everything put into place specifically to recover an account doesn’t work.

And when it doesn’t work, the account can’t be recovered. It’s lost. Forever.

The three things you need to do

Managing an account is important. For the best security, you must take responsibility for doing three things:

  1. Use unique, strong passwords for every site.
  2. Use two-factor authentication whenever offered.
  3. Above all: keep your recovery information active and up to date.

Forget that last one, and you might very well lose your account — with or without two-factor authentication.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio


5 comments on “What if I Forget My Passwords If I Use Two-Factor Authentication?”

  1. One way to prevent being locked out of your account is to have more than one second factor. Most allow you to have (an) email address(es) and a phone number associated as a second factor. I have 3 or 4 email addresses associated with all of my logins as a second factor.

    My Bank of America online banking app and web logins have 3 factor authentication.
    1. The password
    2. An SMS or email.
    3. I have to enter my ATM pin

    • Another thing that I’ve found handy is not to scan the 2FA barcode with the Authenticator App but rather write down the Key in a notebook you store at home. I then manually put the key in to test before doing the 2FA test to know that I got it right so that I know that key can help me activate it again should I lose my device.

  2. I have lost several accounts because the site changed their requirement for 2FA(optional or required) without notification. I have lost one account because I don’t have the required smart phone to get into their site. I have lost several accounts because I no longer have the telephone number required which I found out the hard way.
    Sure I could start over with these sites probably. But do they really want me in their site? I think not or they would try harder to keep me. They can do very nicely without me. Google will help me find an alternative.
    Good riddance to them. Lots a luck.

    • This is on you, I’m afraid. Aside from the change without notice (which is extremely bad practice, I agree), you MUST keep your alternate account recovery information up to date. It sounds like these services were, in fact, doing security right.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.