'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you lose a physical security key used for two-factor sign-in
Short answer
Assume the key could be found by someone else: use another sign-in method to remove the missing key from every account it protects, and tell your workplace IT/helpdesk immediately if it’s a work key.
Do not do these things
- Don’t “wait to see if it turns up” before removing it from your accounts if there’s any chance it was lost in public.
- Don’t turn off multi-factor security entirely as the immediate fix; remove the lost key and keep another second step active.
- Don’t keep trying random logins if you’re locked out (you can trigger temporary lockouts that make recovery harder).
- Don’t share recovery codes, backup codes, or screenshots of account security pages with anyone (including “support” messages that contact you first).
- Don’t buy/register a replacement key from an unknown seller because you feel rushed.
What to do now
-
Pause and classify the loss: “probably at home” vs “lost in public.”
If there’s any realistic chance it’s in a taxi, café, office, train, or anywhere accessible to others, treat it as lost in public. -
Write a 60-second list of the accounts that key could unlock.
Start with: your primary email, your password manager, any work/school single sign-on, banking/finance, cloud storage, and any account you use to reset others. -
Get into your most critical account first (usually email) using another second step.
Use what you already have (backup key, authenticator app, SMS/voice where enabled, recovery codes, or another registered passkey).
A security key usually isn’t enough by itself without your password or device unlock — but if you set up passwordless/passkeys on that key for any service, treat this as higher risk and move fast. -
Remove the missing security key from that account’s security settings immediately.
Look for “Security key / Passkeys / Two-step verification / Security” and delete/remove the specific key entry. -
Sign out other sessions and change the password for the account you just secured (starting with email).
Use “Sign out of all devices / Log out other sessions” (wording varies), then change the password — especially if the key was lost with anything that could reveal your password or unlock your devices. -
Repeat: remove the missing key from every account on your list (highest impact first).
Don’t aim for perfection — your goal is to make the lost key stop working everywhere it was registered. -
If this is a work or school account, contact your IT/helpdesk now and say: “lost security key used for 2FA.”
Ask them to revoke/remove the security key (FIDO2) credential, check for suspicious sign-ins, and issue the organisation’s approved replacement process.
Use your organisation’s known support route (intranet/portal/switchboard) — not phone numbers sent in messages. -
If you cannot sign in at all, use the provider’s official account-recovery flow.
Use “Try another way” / “Can’t use your security key?” / “Account recovery” for that service. Prioritise regaining access to your primary email account first.
What can wait
- Buying a replacement key (do it after you’ve removed the missing one from your accounts).
- Deciding whether to change your whole security setup or provider.
- A full audit of every account you own (do the critical ones now; the rest can follow later).
- Cleaning up and “optimising” your security settings (stabilise first).
Important reassurance
Losing a security key is common, and quick action usually prevents harm. The stabilising move is straightforward: remove the missing key from your accounts and keep another second factor active until you register a replacement.
Scope note
This is first-steps guidance to reduce immediate risk and get you back into your accounts. Later decisions may benefit from provider support or your organisation’s IT team.
Important note
This is general information, not legal, financial, or professional IT advice. Account interfaces and recovery rules vary by provider and organisation, so follow the official recovery and security steps for each service and use your workplace’s approved IT process.
Additional Resources
- https://www.ncsc.gov.uk/guidance/recovering-a-hacked-account
- https://www.ncsc.gov.uk/guidance/setting-2-step-verification-2sv
- https://support.google.com/accounts/answer/9153624?hl=en-GB
- https://support.google.com/titansecuritykey/answer/9115656?hl=en-GB
- https://support.microsoft.com/en-gb/account-billing/removing-a-sign-in-verification-method-4099aa36-bb4e-429e-a0d7-9e05617084f1
- https://support.microsoft.com/en-us/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698