Choose a method
- Authenticator apps generate codes without relying on email.
- Security keys offer strong phishing resistance for important accounts.
- Text codes are widely available but phone-number theft and message interception make them less ideal.
Set up recovery before trouble
- Store backup codes somewhere protected and separate from the device.
- Add more than one administrator or recovery method for business-critical accounts.
- Remove old phones and former employees from trusted methods.
Respond to unexpected prompts
- Deny login approvals you did not initiate.
- Never read a code to an unexpected caller or type it into a site reached through an unsolicited message.
- Change the password and review activity after an unexplained prompt.
Stop guessing when the problem keeps coming back
Ask for help when moving MFA to a new phone, protecting shared business accounts, or recovering an account with a lost device.
