'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you lose a physical security key used for two-factor sign-in
Short answer
Treat the missing key as potentially in someone else’s hands: use another sign-in method to remove it from each account it protects, and notify your employer’s IT/security team right away if it was for work.
Do not do these things
- Don’t delay removing the key “until you search everywhere” if it may have been lost outside your control.
- Don’t turn off multi-factor security entirely as the immediate fix; remove the lost key and keep another second step active.
- Don’t keep retrying logins if you’re locked out (you can trigger lockouts and make recovery harder).
- Don’t share backup/recovery codes or security screenshots with anyone who contacts you first.
- Don’t register a replacement key from an untrusted seller because you feel rushed.
What to do now
-
Make a quick risk call: “probably at home” vs “lost/stolen.”
If it was lost in a public place, rideshare, airport, office, gym, etc., treat it as lost/stolen and act immediately. -
Write a 60-second list of the accounts that key could unlock.
Start with: your primary email, your password manager, any work/school single sign-on, banking/finance, cloud storage, and any account that can reset others. -
Get into your primary email account using any other available second step.
Use what you already have (backup security key, authenticator app, SMS/voice if enabled, recovery codes, or another registered passkey).
A security key usually isn’t enough by itself without your password or device unlock — but if you set up passwordless/passkeys on that key for any service, treat this as higher risk and move fast. -
Remove the missing security key from that account right away.
In the account’s security settings (often “2-Step Verification,” “Security key,” “Passkeys,” or “Security info”), delete/remove the entry for the lost key. -
Sign out of other sessions and change the password for the account you just secured.
Use “Sign out of all devices” (or similar), then change the password — especially if the key was lost with anything that could reveal your password or unlock your devices. -
Repeat key removal for every account on your list (highest-impact first).
Prioritize: password manager, email, financial accounts, cloud storage, workplace SSO, developer platforms, and anything used for account recovery. -
If it’s a work/school key, contact your IT/security team or helpdesk immediately.
Ask them to revoke/remove the security key (FIDO2) credential, review recent sign-ins, and issue the approved replacement process.
Use your organization’s official support channels (intranet/help portal/known number), not contact details sent by text/email. -
If you’re fully locked out, use the provider’s official account-recovery process.
Look for “Try another way,” “Can’t use your security key,” or “Account recovery.” If you’re stuck, use the provider’s official support.
What can wait
- Ordering and enrolling a replacement key (do it after the missing one is removed).
- Making your setup “perfect” (extra keys, reorganizing everything).
- Auditing every single account immediately (secure the critical ones now; others can follow).
- Deciding whether the incident “counts” as theft — your priority is removing the key and securing access.
Important reassurance
Most harm is prevented by one fast action: removing the missing key from your accounts. Once it’s removed everywhere it was registered, that lost key should no longer be accepted for those accounts.
Scope note
These are first steps to stabilize access and reduce immediate risk. Later, you can improve resilience (like adding a backup key and storing recovery codes safely).
Important note
This is general information, not legal, financial, or professional IT advice. Exact steps vary by provider and organization. Follow official recovery and security guidance for each service, and your workplace’s established IT/security process.
Additional Resources
- https://www.cisa.gov/topics/cybersecurity-best-practices/multifactor-authentication
- https://support.google.com/accounts/answer/9153624?hl=en
- https://support.google.com/titansecuritykey/answer/9115656?hl=en
- https://support.microsoft.com/en-us/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698
- https://support.microsoft.com/en-gb/account-billing/removing-a-sign-in-verification-method-4099aa36-bb4e-429e-a0d7-9e05617084f1
- https://support.microsoft.com/en-gb/account-billing/microsoft-account-security-info-verification-codes-bf2505ca-cae5-c5b4-77d1-69d3343a5452