Notifications
Clear all
Topic starter
08/06/2026 4:11 pm
TL;DR: Losing a YubiKey, authenticator app, or phone usually triggers recovery paths that fall back to email, SMS, or help desk verification, which can reintroduce phishing and social engineering risk, according to Axiad. The real control question is not whether MFA exists, but whether recovery governance preserves the security properties MFA was meant to create.
NHIMG editorial — based on content published by Axiad: What If I Lose My Yubikey or Google Authenticator?
Questions worth separating out
Q: How should security teams handle lost MFA devices without weakening access control?
A: Security teams should treat every lost-device recovery path as part of the authentication control.
Q: Why do lost YubiKeys or authenticator apps create a governance problem?
A: They create a governance problem because the organisation must re-establish identity after the original possession factor disappears.
Q: What do teams get wrong about MFA recovery procedures?
A: Teams often focus on the strength of the primary factor and ignore the recovery path.
Practitioner guidance
- Classify recovery paths by assurance level Map every fallback path used for lost YubiKeys, authenticator apps, and phone-based MFA.
- Harden help desk identity proofing Require scripted verification, documented escalation, and dual approval for high-value account resets.
- Reduce reliance on phone-number recovery Limit SMS recovery where number spoofing or SIM swap would materially weaken access assurance.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step recovery options for YubiKey users and Google Authenticator users
- Practical discussion of when backup codes, email, and SMS recovery can reopen risk
- Configuration considerations for IT teams deciding how much recovery convenience to allow
- User-facing examples that show how support workflows change when devices are lost
👉 Read Axiad's guidance on lost MFA devices and recovery options →
Lost YubiKey or authenticator device: where do recovery controls fail?
Explore further
08/06/2026 5:41 pm
Recovery governance is part of authentication governance. A lost authenticator is not a simple replacement event, because the organisation must decide how identity is re-established when the original possession factor is unavailable. If recovery relies on weaker channels such as SMS, email, or support-mediated reset, the programme has shifted assurance from the factor to the fallback. Practitioners should treat recovery design as a core authentication control, not a service desk convenience.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes still lack the control picture needed for reliable recovery governance.
A question worth separating out:
Q: How can organisations tell whether MFA recovery is too permissive?
A: Look for frequent support overrides, broad use of SMS or email resets, and inconsistent identity proofing across teams. If privileged users can recover access faster than ordinary users without stronger checks, recovery is probably acting as a bypass rather than a safeguard.
👉 Read our full editorial: Lost MFA devices expose recovery gaps in human identity controls
