PanicStation.org
UK USA
uk Technology & digital loss lost recovery codes • cannot find backup codes • missing 2fa backup codes • two step verification locked out • account recovery without codes • recovery codes misplaced • backup codes not saved • no access to authenticator • phone lost 2fa codes • security codes missing • locked out of email account • locked out of google account • locked out of microsoft account • sign in problem backup code • regain access to account • recovery options not working • account takeover worry • urgent login verification • trusted device still signed in • printed codes missing

What to do if…
you realise your recovery codes or backup codes cannot be found when you need them

Short answer

Stop and assume you might be on the wrong (or fake) sign-in screen, then try to regain access using a trusted, already-signed-in device or the provider’s official recovery flow—without sharing extra information to “helpers” or random support accounts.

Do not do these things

  • Don’t type your password into a link from an email/text/DM you weren’t expecting (even if it looks correct).
  • Don’t pay anyone claiming they can “unlock” the account, or move the conversation to WhatsApp/Telegram.
  • Don’t keep retrying codes until you get locked out for longer (slow down after a couple of failed attempts).
  • Don’t disable 2-step verification in a panic (you can make the account easier to take over).
  • Don’t hand over scans of your ID or “selfie verification” unless you are inside the provider’s official recovery process.

What to do now

  1. Take 30 seconds to confirm you’re on the real sign-in page.
    Use the app you normally use, or manually type the service’s address into your browser (not a link). If anything looks off, stop.

  2. Check the “obvious hiding places” once, systematically (5 minutes max).
    Look for: password manager “secure notes”, a file called “backup codes”, downloads folder, printed sheet, notebook, screenshots folder, encrypted vault, cloud drive secure folder, or an email you sent to yourself when you set it up.
    If you share a computer: check you’re in the correct user profile.

  3. Try a trusted device/session first (this is often the fastest way back in).
    If you’re still signed in anywhere (phone app, tablet, another browser profile, work laptop):

    • Go to the account’s Security / Sign-in / 2-step verification area.
    • See if you can generate a new set of backup codes or add another sign-in method (authenticator app, passkey, security key, secondary phone/email).
    • If you generate a new recovery code/set, assume the old one is invalid from that moment.

  4. Use alternative verification methods you may already have set up.
    On the sign-in screen, look for options like: “Try another way”, “Use a security key”, “Use your authenticator app”, “Use a trusted device”, or “Verify by email/phone” (if you still control that email/number).

  5. If you’re locked out, start the provider’s official account recovery.
    Use the provider’s “Forgot password / Account recovery” process. Be ready to provide what you genuinely know (previous passwords, when you created the account, billing details for paid services).
    If the recovery path asks for something you can’t provide, stop and try from a different trusted device or network rather than guessing repeatedly.

  6. Treat “missing codes” as a possible warning sign of account takeover—do a quick safety check.
    If you can get in on any device, immediately:

    • Change the password to a unique one.
    • Review recent sign-in activity and sign out of other sessions/devices you don’t recognise.
    • Check account settings that attackers change quietly (email forwarding rules, recovery email/phone, “trusted devices”, app passwords, connected apps).

  7. If you suspect fraud or you’ve lost money, use the right UK reporting channel.
    If an account takeover led to unauthorised transactions, scams, or you’ve been hacked as part of fraud:

    • England, Wales, or Northern Ireland: report via the national fraud/cyber reporting service (Report Fraud), and contact your bank/service provider using their official contact details.
    • Scotland: report the crime to Police Scotland on 101 (non-emergency) and contact your bank/service provider as relevant.
      If you received suspicious messages, consider reporting them through the UK’s phishing reporting routes (for example, forwarding suspicious emails to the Suspicious Email Reporting Service).

What can wait

  • You don’t need to decide today whether to change all accounts, migrate email providers, or rebuild your entire security setup.
  • You don’t need to perfect your “best” 2FA method right now—first, regain safe access and stop any ongoing compromise.
  • You don’t need to respond to every notification immediately; focus on the one account that can reset others (usually your email).

Important reassurance

Losing backup codes is very common—many people only realise they matter at the exact moment they need them. If you slow down and use trusted sessions and official recovery routes, you can usually regain control without making the situation worse.

Scope note

These are first steps to get you safely back into the account (or into the right recovery process) and reduce the risk of account takeover. Later, you may want more thorough security hardening, but it doesn’t have to happen now.

Important note

This is general information, not legal or professional advice. If you think you’re currently being targeted, scammed, or money is at risk, prioritise contacting the affected provider/bank through official channels and reporting through the appropriate UK services.

Additional Resources
Support us