This comes up quite often – so I thought I’d make things clear about Google Authenticator (and Authy, which is what I prefer).
When you first turn on 2FA on your account, you are presented with ten one-time recovery passcodes. What we need to emphasize more in the 2FA enablement process is that if you don’t save those somewhere safe (not on your phone for crying out loud!), and you’re using Google Authenticator, when you lose your mobile device or drop it in the toilet, you are locked out of your account and we will then have to intervene to restore account access, which takes time because we have to authenticate that you’re actually the owner of the account.
I prefer to use Authy, because they store authentication keys (or perhaps, a hash of them?) in their cloud. Someone’s going to say “oooh that’s a terrible idea!” but in my opinion, this is a second factor of authentication and it’s very unlikely that you’re going to get compromised on both your account password and your 2FA mechanism, and anyway it’s still vastly more secure than a one-factor authentication approach.
Takeaway: Your choices: (1) Store your ten one-time recovery passcodes in a safe place (you could consider – gasp – printing them out (I know that’s very 20th century ) or more easily, just email them to yourself); (2) Don’t use Google Authenticator or other non-cloud-based authenticators; (3) Don’t use 2FA at all, or (4) be One of Those People that has to have Particle help regain access to the account because (1) – (3) were not followed .