Log in to your account without your phone.
That’s a summary of a question I get frequently.
The problem is that telling google your new number requires you to sign in, but you can’t sign in because the verification goes to your old number. it’s a vicious circle.
I have to tell you that, depending on some factors, you may not be able to enter.
let’s see which straws we can grab on to.
preparation is key
google is going to want something that has been configured, logged in or configured before this situation arises. Typically, that means adding your phone number and keeping that number up to date.
Of course, if you’ve lost your phone or changed your number without updating your account information, that won’t work.
Fortunately, Google offers many additional ways to confirm your identity.
Important: Not all of these options will be available to you in all situations (and there may even be others). Exactly which Google chooses to make available is unclear, and may vary depending on the characteristics of your account, or whether you’re following the “forgot my password” or “lost my two-factor device” path.
Several of these options require configuration before you need them. if you haven’t set them up for your account, they probably won’t be listed.
Even if you don’t have two factors explicitly enabled, Google’s security may require this additional level of confirmation on occasion. this is essentially two-factor authentication as well.
let’s see the options.
account verification options
use your security key
using a hardware security key like yubikey, all you need to do is insert the key into a usb port and press a button to confirm you are who you say you are.
This only works if you have previously configured yubikey with your account and have it with you. I have assigned a yubikey to my account and yet not having it with me is the most common situation I come across.
get a unique security code
You can use a hardware security key to sign in to your account on one device, and then use that device to get a code to sign in on another.
This scenario assumes that you can’t use your security key on the device you’re trying to log in to. maybe the usb ports are broken; maybe you left that key at home. by using a different device (and perhaps a trusted family member at home), you can use your ability to sign in at one place as a way to validate the other.
confirm on your phone or tablet
If you’re currently signed in to Google on a mobile1 or tablet device, Google may send a message to that device, asking you to confirm your sign-in on the current machine.
Naturally, this only works if you’re currently logged in on another device and can reply to the confirmation prompt.
use your phone or tablet to get a security code (even if you’re offline)
This surprised me. I suspect this only works for android devices, but if you’re logged into the same account on one of those devices, you’ll be prompted to retrieve a login code from one of those devices.
Next, your device presents the codes you can use to confirm your identity.
That this works even if that mobile device is not connected to the internet might be a lifesaver, especially when traveling.
get a verification code from the google authenticator app.
This also does not require connectivity on your mobile device, but it does require that you have set up two-factor authentication with the Google Authenticator app beforehand. other supported apps, like authy, also work.
On the device running the authenticator app (which can even be the computer you’re trying to log in to, if you’re running the desktop version of authy), simply enter the code currently displayed for your account.
get a verification code in an email address
Google will email a code to one of your recovery email addresses. your ability to provide that code proves you are who you say you are, or at least the person who set up the recovery email addresses, and you should be able to get into the account.
email addresses are not always included in the list of options (they are not present above, for example).
Note: you can have more than one recovery email address associated with your account. The example here shows four. If you lose access to one, you can have the code sent to any of the others.
get a verification code via mobile phone.
This is precisely the problem that brought us here. google will send a code via text message to your registered mobile phone number.
Note: You may have more than one number associated with your account. if you lose access to one, you can send the code to the other instead.
enter one of your 8-digit backup codes.
With two-factor authentication enabled, each time you sign in to your account, you can have Google create and display a set of backup codes for you to use in an emergency.
Each can be used once -, in lieu of your second factor, or when you need to provide additional security assurance to Google that you are who you say you are.
If you use two-factor authentication, I recommend that you obtain and store those backup codes in a safe place.
If you’re not using two-factor authentication, if the added security that two-factor provides isn’t enough to convince you, it’s almost worth turning it on so you can have these codes available should you need them.
google warns that this process can take several days. what they don’t say is that it might not work.
The process encourages you to try some of the options we’ve already discussed as faster ways to get into your account.
if that doesn’t work for you, google will ask you a series of questions and… contact you. Carefully answer those questions as clearly and completely as you can.
If you have provided enough information, you will eventually be provided with a means to access your account and reset your password.
If you haven’t provided information that Google deems sufficient to prove you’re the rightful owner of the account… you’re out of luck. this is not unusual.
what’s frustrating for people in this position is that you never say exactly what google considers “enough”. this is on purpose, to prevent malicious hackers from hitting the system. That is why I emphasize being careful, clear and complete when answering the questions presented.
if all else fails
if none of the confirmation options provided by google work for you…
If you haven’t set up alternate and recovery information for your account…
If the account recovery process covered in the last step fails…
…then I don’t know of any way to get back into your account. for all intents and purposes, it is no longer your account.
That’s why I insist on setting up account recovery information and enabling two-factor authentication before you need it, so you’ll never find yourself in this situation.