If your authenticator stops after a phone switch, restore or re-link accounts, resync time on the device, and test each code before logging out.
You switched devices and those six-digit codes won’t pass. It feels like the door lock changed and the new key doesn’t turn. The good news: most “new phone, no code” moments come down to one of a few causes—no backup or transfer, time drift, or accounts that still point to the old device. This guide gives you clear fixes, app-specific steps, and guardrails so you can get back in quickly without weakening account security.
What’s Going Wrong With Codes After A Phone Change
One-time passwords (TOTP) are generated from two things: a secret key saved in your app and the current time. If the secret key never made it to the new device—or the phone’s time is out of sync—the site rejects the digits. Sometimes the site still trusts your old device only. Less often, a QR transfer failed or an account restore waited on a cloud backup you didn’t finish.
Fast Triage Table
Scan the left column, match your symptom, then try the “Quick Fix” first. This sits early so you can move straight to action.
| Symptom | Likely Cause | Quick Fix |
|---|---|---|
| All sites reject codes on the new phone | Secrets never transferred | Use app restore/transfer or re-link 2FA on each site |
| Some sites work, others fail | Only part of the vault restored | Re-scan QR for the failing sites only |
| Codes look valid, off by a few seconds | Phone time not synced | Turn on automatic date/time and restart |
| QR transfer stalls or shows error | Camera permission or screen brightness | Grant camera access; raise brightness; try dark mode off |
| App shows tokens, but site still asks for an old device | Site still trusts previous authenticator | Use account recovery or backup codes, then re-register |
| Work account fails only | Org policy binds to specific device | Ask IT to approve the new device; then re-enroll |
New Phone, Authenticator Failing — Quick Checklist
Run these steps in order. You’ll fix the highest-probability issues first, then handle edge cases.
1) Confirm Old Device Access (If You Still Have It)
If the old phone still powers on, keep it connected to Wi-Fi and don’t reset it yet. Many apps offer a direct “Transfer accounts” or “Export/Import” flow that moves your secrets with a QR handoff. That takes minutes and saves you from re-enrolling every site by hand.
2) Restore From The App’s Backup Or Transfer Feature
Some authenticators back up tokens to a cloud account you control. If you used that before the switch, sign in on the new phone and restore:
- Microsoft Authenticator: open the app on the new phone and pick Restore from backup; sign in with the same Microsoft account you used for backup. This pulls tokens to the new device. See Microsoft’s guide: restore account credentials.
- Google Authenticator: current versions sync codes when you sign in with your Google Account on each device. Open the app, sign in, and allow sync to populate the list. Details live here: keep codes synchronized.
- Duo Mobile: Duo Restore can recover accounts to a new phone when enabled earlier. If your company manages Duo, you may also need admin approval.
3) Turn On Automatic Date And Time
TOTP relies on the current minute. Set the phone to network time, then restart. Open the authenticator and check a fresh six-digit code. If time drift caused failures, logins tend to work right after this change.
4) Re-Link Only The Accounts That Still Fail
When a site still rejects the digits, assume the secret key stored there differs from the one on your new phone. Sign in using a backup method (SMS, backup code, security key, recovery email), go to the site’s security settings, and re-register your app by scanning a new QR. Delete the stale entry in your authenticator so you don’t pick the wrong one later.
5) Test And Label Clearly
After each fix, run a full sign-out/sign-in test for that site. Rename tokens with clear labels like “Bank – iPhone 15” so you know which entry is live. That helps a ton the next time you upgrade hardware.
App-By-App Guidance You Can Use Now
Google Authenticator
Sign in on the new phone, allow code sync, and verify that entries appear. If you used the in-app “Transfer accounts” flow from the old device, scan the QR on the new one, then confirm each site accepts a code. If a site fails, re-link it from that site’s security page and remove the stale token.
Microsoft Authenticator
Turn on cloud or iCloud backup on the old device first, then use Restore from backup on the new device with the same Microsoft account. Some work tenants require device registration after restore; follow the prompt inside the app. If a specific work account still fails, your IT admin may need to reset MFA for that user.
Password Managers And iCloud Keychain
Modern password managers and Apple’s Passwords app can store TOTP secrets alongside passwords. When you sign back in on the new phone and sync the vault, those OTPs travel with it. On iPhone, you can set up verification codes in Passwords so the six-digit code fills right with the username. Apple’s guide shows the flow to auto-fill verification codes.
If You No Longer Have The Old Phone
Without the source device, you have two routes: use backup methods or run account recovery.
Use Backup Codes Or A Secondary Factor
Most services offer printable backup codes. If you saved them, use one to get in, then add the new device under security settings. Security keys (FIDO2/passkeys) or SMS can also bridge you back in for that re-enrollment step.
Start Account Recovery
When no backup method is available, begin the site’s recovery flow. Expect to verify identity by email, phone, or prior devices. This can take time on high-risk accounts. Once you regain access, add the new authenticator and generate fresh backup codes.
Second Table: Transfer Options By Authenticator
Use this snapshot to decide whether you should restore, re-scan, or contact support. Keep in mind: some work accounts add admin approval to every move.
| Authenticator | Transfer/Backup Support | Where To Start |
|---|---|---|
| Google Authenticator | Account sync across devices; QR export from old phone | Sign in and enable sync; or use Transfer Accounts |
| Microsoft Authenticator | Cloud/iCloud backup and restore; tenant controls for work | Restore from backup in the app; re-register work accounts if asked |
| Duo Mobile | Duo Restore when enabled; orgs may bind devices | Recover in the app; ask IT to re-enroll device if blocked |
| Password Managers | OTP secrets sync with the vault | Sign in and sync; confirm codes match the site |
| iCloud Passwords | Verification codes sync via iCloud Keychain | Turn on Passwords & Keychain; add code entries per site |
Common Edge Cases And Straightforward Fixes
Time Drift On The Phone
TOTP codes change every 30 seconds. If your phone runs on manual time or a mismatched time zone, codes fail. Set date and time to automatic, pick the right region, restart the device, then try again.
Multiple Tokens For The Same Site
During a transfer, it’s easy to create a fresh entry while the site still points to the old one. Keep only the working entry in your app. A clean list avoids picking the wrong token during a login rush.
QR Won’t Scan On The New Phone
Grant camera permission, raise brightness, and zoom a touch closer. If the screen still won’t scan, use a manual key entry. Double-check the number of digits (usually six) and the timing window (30 seconds).
Work Or School Account Still Blocks You
Managed accounts often tie MFA to a specific device. An admin reset may be required after you change phones. Ask the IT desk for a new enrollment prompt, then register the new device on a trusted network.
Lost Phone And No Backup Codes
Use recovery channels the service provides, such as alternate email, phone call, or identity prompts. Once you’re back in, add a second factor you control offline—preferably a hardware security key—so you always have a path back.
Step-By-Step Re-Linking Walkthrough
1) Sign In With A Backup Method
Use a backup code, SMS, or a security key. If none exist, start account recovery. Once inside, go straight to the site’s security settings.
2) Remove The Old Authenticator
Find the entry linked to your previous phone and remove it. This prevents the site from asking for codes from a device you no longer own.
3) Add The New Phone
Choose “Authenticator app,” then scan the QR with your new phone. If the app offers multiple accounts, label the entry with the site name and device. Save any backup codes the site offers at the end.
4) Test A Full Login
Sign out and sign back in using the new code. If it passes, you’re set. If it fails, re-scan and confirm the entry hasn’t duplicated with a stale token still active.
Security Hygiene While You Fix Access
- Use strong device locks. Face, fingerprint, or a long passcode stops casual access to your tokens.
- Keep codes off screenshots. Treat QR images and manual keys like passwords and never store them in photo rolls or chat apps.
- Prefer hardware keys for recovery. A pair of FIDO2 keys gives you a backup factor that isn’t tied to a phone battery.
Prevent The Next Lockout
Phone upgrades happen. Set up these habits now so the next swap feels routine:
- Turn on the app’s backup or sync. In Microsoft Authenticator, enable cloud or iCloud backup, then test a restore on a spare device. In Google Authenticator, sign in so codes sync across devices.
- Generate and store backup codes. Print them or save to a secure vault. Mark which account each set belongs to.
- Keep a list of accounts using app codes. A simple checklist speeds re-linking and reduces missed entries.
- Add a second, independent factor. Security keys or a second authenticator on a tablet give you another route back in.
- Label entries clearly. Site + device name helps you pick the right token fast.
When To Contact Support
Reach out when a service shows “no recovery options,” when a managed account demands admin approval, or when you suspect the account was taken over during the phone swap. Provide proof of ownership and be ready to wait through safety checks. Once you regain access, rotate passwords, add the new authenticator, and revoke any devices you don’t recognize.
Recap You Can Act On
Start with restore features inside your authenticator, verify phone time, then re-link only the accounts still failing. Use backup codes or recovery flows if the old device is gone. Add backups and clear labels so the next upgrade is smooth. For official steps on two popular apps, bookmark Microsoft’s restore guide and Google’s page on keeping codes synchronized. Those two links solve most upgrade headaches.