
Multi-factor authentication is one of the best account protections most people can turn on. The problem is that MFA also creates a very practical failure point: if your only sign-in method is a phone you lose, an authenticator app you replace, or an email address you no longer control, you may have made the account safer for attackers and harder for you to recover.
Today’s quick tip is simple: set up a backup sign-in and recovery plan while you can still get into the account normally. This matters for families, solo businesses, and small offices because the locked account is often the one that runs payroll, email, cloud storage, Apple devices, Google Business Profile, domain names, or Microsoft 365.
The 20-Minute Recovery Checklist
Pick your most important accounts first. For most people, that means email, Microsoft, Google, Apple, banking, password manager, domain registrar, website hosting, bookkeeping, and any account that controls other accounts.
- Confirm your current sign-in methods. Check the phone number, recovery email, authenticator app, trusted device, and security key listed on the account. Remove anything you no longer control only after a current replacement is working.
- Add at least one second method. If the account supports it, use more than one option: authenticator app plus backup codes, trusted device plus recovery contact, or authenticator app plus a hardware security key.
- Generate backup codes where available. Save them somewhere secure, such as a password manager secure note or a printed copy in a locked file. Do not keep them in the same email inbox they are meant to recover.
- Write down who can help. For business accounts, document who is the owner, who is a backup admin, and where recovery codes or emergency procedures are stored.
- Test the backup path lightly. Do not lock yourself out on purpose, but verify that the account shows the new method as active. If there is a “sign in another way” option, make sure your added method appears.
- Set a review reminder. Recheck recovery info any time a phone number changes, an employee leaves, a device is replaced, or once per quarter for business-critical accounts.
Microsoft Accounts and Microsoft 365
For personal Microsoft accounts, Microsoft says you can manage security info from the Security tab and add a new way to sign in or verify your identity. For work and school accounts, Microsoft’s support docs also point out that security info can be used for two-factor verification and password reset, but not every method works for both jobs. That distinction matters in a business: an employee may be able to pass MFA but still lack a usable self-service password reset method.
For a small business using Microsoft 365, do not rely on one owner’s phone as the whole recovery plan. At minimum, make sure there are appropriate backup admins, current security info, and a documented process for device replacement and employee offboarding.
Google Accounts and Backup Codes
Google supports backup codes for accounts using 2-Step Verification. Google’s help page says backup codes are single-use, you can create a new set of 10, and creating a new set makes the old set inactive. Google also warns not to share backup codes and says Google will not ask for one except when you are signing in.
That makes backup codes useful, but sensitive. Treat them like spare keys. If you print them, store them somewhere locked. If you save them digitally, put them in a password manager or encrypted business documentation system, not a plain desktop file named “Google backup codes.”
Apple Accounts and Recovery Contacts
Apple lets eligible users set up an account recovery contact. Apple says a recovery contact can help you regain access by giving you a recovery code, but they do not get access to your account. Apple also notes that account recovery can take longer if you do not have a recovery contact, and its trusted-phone-number guidance says recovery can take a few days or longer depending on the information available.
If you run your business from Apple devices, also check trusted phone numbers and trusted devices. A phone number that still belongs to an old employee, former spouse, or disconnected line can turn a normal password reset into a much bigger problem.
What Can Go Wrong
- Backup codes saved in the wrong place: If the codes are only inside the account you cannot access, they will not help during a lockout.
- Old phone numbers left in place: A disconnected number, former employee’s number, or recycled mobile number can create security and recovery problems.
- Only one admin exists: One-person control is risky for Microsoft 365, Google Workspace, domain registrars, web hosting, and bookkeeping systems.
- Authenticator app migration was skipped: Replacing a phone without moving authenticator accounts first can break sign-in for multiple services at once.
- Emergency access is too broad: A backup admin should be protected with MFA too. Do not create a weak “just in case” account with no monitoring.
When To Call An IT Professional
Call for help before making changes if the account controls business email, billing, domain names, customer records, payroll, cloud file storage, or compliance-sensitive systems. Also call if you suspect someone else has access to an old recovery email or phone number. In that case, the job is not just “update the phone number”; it is account security cleanup, session review, admin review, and recovery hardening.
The IT Guys can help local businesses build a practical account recovery sheet, check Microsoft 365 or Google Workspace admin access, review MFA methods, and clean up old recovery paths before a lost phone or staff change becomes an outage.
Useful Source Links
- Microsoft: Manage Microsoft account security info and verification codes
- Microsoft: Sign in using two-step verification or security info
- Microsoft: Set up security info for work or school accounts
- Google: Sign in with backup codes
- Google: Fix common issues with 2-Step Verification
- Apple: Set up an account recovery contact
- Apple: Trusted phone numbers and trusted devices for Apple Account