This is one of the most common calls K12 Montana gets from school offices: "Sarah got a new phone and now she can't log into her Google account." Here's exactly what happens and how to fix it.
When 2-factor authentication is set up with an authenticator app (like Google Authenticator or Authy), the codes are tied to that specific phone. When the phone is replaced, the old app - and its codes - are gone. The new phone doesn't automatically have them.
If the staff member also doesn't have their backup codes saved somewhere (they probably don't), they're effectively locked out.
A Google administrator can resolve this in a few minutes.
In the Google Admin Console, go to Directory, then Users. Find the affected staff member. Hover over their name and click More options, then Change organizational unit. Move them to the MFA Enabled but not enforced OU.
Then click on the user's account, go to the Security tab, scroll to 2-Step Verification, and turn it off. This clears the old 2FA setup.
Now the staff member can log in without 2FA. Have them re-enroll 2FA on their new phone using the standard setup steps (see our earlier post on enabling 2FA for staff). Once they've completed setup, move them back to their original OU.
During initial 2FA setup, Google generates 10 single-use backup codes. These are the safety net for exactly this situation. The problem is that most people don't save them anywhere accessible.
A good practice: during 2FA enrollment, encourage staff to download the backup codes and store them in their Google Drive (securely, not shared) or printed and kept somewhere safe at home. It takes 30 seconds and prevents a lockout down the road.
Having repeated issues with 2FA lockouts at your school? K12 Montana Inc. can help you build better enrollment and recovery workflows. Contact us and we'll get it sorted out.