Microsoft Authenticator
Mobile setup, push approvals, and recovery for Microsoft 365 accounts.
Open guide
Article
Getting a new phone without losing MFA
If your work uses Microsoft Authenticator, Duo Mobile, Okta Verify, or another push app on your phone, switching phones is the most common reason people get locked out of work. Five minutes of prep on the old phone saves a frantic afternoon on the new one.
Before You Get the New Phone
Set yourself up to switch cleanly
Make sure you have a second sign-in method
Open your work account's security page (for Microsoft, https://mysignins.microsoft.com/security-info) and confirm you have at least one method besides the authenticator app — typically a phone number, a backup email, or a hardware security key.
Find out which apps your company uses for MFA
The most common are Microsoft Authenticator, Duo Mobile, Okta Verify, and Google Authenticator. Make a list of which ones are on your phone now so you know what to set up on the new one.
Turn on cloud backup if your authenticator app supports it
Microsoft Authenticator backup depends on the phone platform: iPhone uses iCloud, while Android uses a personal Microsoft account. Duo Mobile has Duo Restore, and Google Authenticator can sync to a Google account. Backup is still not a guaranteed full restore for every work account, so keep another sign-in method available.
The Day You Switch
Keep the old phone working until the new one is set
Do not erase or factory-reset the old phone yet
Keep it on, charged, and connected to Wi-Fi if you no longer have a SIM in it. As long as it can receive pushes, you can use it to approve sign-ins while you re-add your accounts on the new phone.
Install the same authenticator apps on the new phone
Install Microsoft Authenticator, Duo Mobile, Okta Verify, or whichever you use from the App Store or Google Play. Do not remove anything from the old phone yet.
Re-add accounts one at a time
For each work account, sign into the security settings page from a computer (using the old phone to approve), then add the new phone as the active method. For Microsoft Authenticator this is Add sign-in method > Authenticator app on https://mysignins.microsoft.com/security-info. For Duo, your IT can send you a fresh enrollment link. For Okta, sign into your end-user dashboard and add a new device if your company allows self-service enrollment; otherwise IT may need to reset or re-enroll Okta Verify for you.
If You Already Lost Access
You upgraded the phone before doing any of this — now what?
Check your other sign-in methods first
Try signing in and look at the "More information required" or "Try another way" prompt. A backup phone number or email may let you in without IT.
Contact IT and be ready to verify your identity
IT will need to confirm you are really you before resetting MFA, because MFA reset is a common attacker target. Be ready with your manager's name, employee ID, or whatever your firm uses.
Ask for a temporary access pass or bypass code
Microsoft has Temporary Access Pass, Duo has bypass codes, and some Okta setups use Temporary Access Code. These temporary methods can let you sign in long enough to re-enroll the new phone.
Related
Specific app guides
Duo Mobile
What to do when a new phone breaks Duo pushes.
Open guideOkta Verify
Re-enrolling Okta on a new phone and using FastPass.
Open guide