2FA Conundrum

Question

I was using a Galaxy S23 Ultra for a long time, with with Microsoft Authenticator. When I bought the S26 Ultra and transferred my data over, my Authenticator info didn't join in the fun. All my passkeys were in there and now I cannot login to any of my sites governed by that service. I cannot recreate them, as now the app wants me to generate a passkey from it or use itself to authorize the login .. i'm in a perpetual hell loop and am lost as to how to fix this ... anyone have any ideas? 

I have tried using my phone number to send a code, tried the OTP from the Google account Privacy tab / page .. nothing works ... I don't have the S23 Ultra any longer and am at a bit of a loss on what to do here.

Answer 1

Losing the old phone and its Microsoft Authenticator data breaks the link to existing passkeys and MFA registrations. The loop happens because the account now always asks for a verification method that no longer exists on any device.

Actions depend on whether the accounts are personal Microsoft accounts or work/school (Entra ID/Microsoft 365) accounts:

1. For passkeys that no longer work

• If a site shows messages like “passkey not found,” “can no longer be used,” or similar, the passkey is effectively invalid.
• Fix by:
  1. Deleting any obsolete passkeys from the Authenticator app on the new phone (if any were partially created).
  2. Setting up new passkeys for each account after you regain access by some other method.
  Guidance: Troubleshoot signing in with a passkey

2. If the account is a work or school (Microsoft 365/Entra ID) account and Authenticator is the only MFA method

• If there is at least one other admin in the tenant:
  • Another admin can sign in and reset MFA for the affected account from the Microsoft 365 admin center.
• If there is only one admin (and that admin is locked out):
  • This is a known scenario. The only supported path is to contact Microsoft Support and have a ticket escalated to the Microsoft Data Protection team.
  • The Data Protection team verifies identity and then resets MFA or adds a new method so the admin can sign in again.
  • Steps (summary from similar resolved cases):
    1. Call the regional Microsoft support hotline for business/Office 365.
    2. When prompted, indicate the issue is with “Authenticator,” product “Office 365 for business,” company account, and that this is the only admin account.
    3. Ask to open a service request and escalate to the Data Protection team to reset MFA on the locked tenant.
  This process was used successfully in multiple similar cases where the only admin lost Authenticator access.

3. If the account is a personal Microsoft account

• If still signed in anywhere (Windows PC, browser session):
  • Immediately go to the account’s security info page and:
    • Add new sign-in methods (phone, email, new Authenticator registration, security key).
    • Remove any outdated methods tied to the old phone.
• If not signed in anywhere and 2FA is enabled:
  • The normal account recovery form cannot bypass 2FA.
  • Use any available “I don’t have any of these” or similar option on the 2FA prompt to start an alternative recovery flow.
  • If that fails, contact Microsoft account support and explain that 2FA is enabled and the Authenticator device is lost.

4. When getting a new phone in the future

• Before retiring the old phone:
  • Sign in to the security/MFA management page (for work/school: “Security info” or “Additional security verification”).
  • Add the new phone as an MFA method (phone, Authenticator) while the old phone still works.
  • Only then remove the old phone and old Authenticator registrations.
• For passkeys in Microsoft Authenticator on Android:
  • After setting up the new device, create new passkeys and save them to Authenticator following the prompts.
  • If an error says a passkey already exists, delete any locally stored passkey in Authenticator and retry registration.

Until at least one account can be accessed by another method (existing browser session, SMS that actually completes, or support/Data Protection intervention), the loop cannot be broken purely from the new phone.

---

References:

• Troubleshoot signing in with a passkey
• Troubleshoot problems with Microsoft Authenticator
• Use a screen reader to set up and troubleshoot multifactor authentication
• Set up a passkey in Microsoft Authenticator
• How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Microsoft Authenticator app doesn't show 6-digit OTP code - Microsoft Q&A
• Cannot authenticate with E-mail when logging into Microsoft Authenticator(iOS). - Microsoft Q&A