:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/72857068/GettyImages_591397373.0.jpg)
The night before I was supposed to go on a long and well-deserved vacation, something very, very bad happened: I lost my phone. I had a friend over and, I decided, he must have accidentally taken my phone with him when he left. Which was a problem because all methods I had to contact him — including his phone number and address — were in the one thing I now didn’t have.
There’s nothing like spending 30 minutes panicking that you’ve lost your phone to make you realize just how devastating that loss can be ... and how poorly you’ve prepared for the possibility. Access to just about everything I wasn’t already logged into on my computer was dependent on access to my phone, with my mobile-device-only password manager and multifactor authentication apps and text messages. Actually, had I even backed my phone up to my iCloud account? Didn’t I delete my backups to free up storage space? Was I logged into iCloud on my laptop? Would it even be possible to log in, since my passwords and authentication tools were only on the phone?
“I don’t think most people prepare for losing their phone,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told Vox. “Which is surprising considering how many people [have] lost their phone, broke their device, or had it stolen. Despite many people having experience here, they aren’t often taking the right precautions.”
Our phones have become our main — in some cases, only — gateway to so many things. If you lock yourself out of your house, you can call a locksmith to get back in, even if it’s the middle of the night on a holiday. But if you lose your phone, you may lose your keys to a whole lot more, and it may take a while, if ever, to get that access back.
Ironically, this is especially true if you’ve proactively taken the kind of basic digital security measures most experts would recommend. My efforts to secure my accounts from bad actors — some of which relied on having my phone — might have made it that much harder for me to get back into them.
That’s not to say that you shouldn’t do those things — you absolutely should. You just want to make sure you’re preparing for the possibility of a lost device when you set them up. The trick is to make sure you aren’t low-hanging fruit for bad actors, while also not putting that fruit so high up that you can’t reach it if you need it.
So I’ve put together a little guide on how to best protect yourself from losing everything if you lose your phone. One thing to keep in mind: These are recommendations for the average person with the average security concerns. If you’ve got different considerations because you’re, say, storing valuable company secrets on your phone, this is not the guide for you.
Make sure you have something to restore: Back that phone up
If you aren’t backing up your phone, there may not be anything to get back if you lose or break it. Some of those things, like photos, may be lost forever. Fortunately, it’s easier than ever to back up your phone.
“Backup of data in the digital reality we’re in now is paramount. The impact of no backups is just too dangerous,” DeGrippo said.
The old-fashioned way is to connect your phone to your computer. You can find directions on how to do this for your iPhone here and your Android here. This is fine, as long as you remember to back it up regularly and you aren’t in a situation where both your phone and your computer are lost or destroyed at the same time.
That’s why you may want to consider backing it up to the cloud. You can set it to do so automatically and frequently, and your data will be housed in a separate and secure location. There will also, most likely, be a price attached: Apple and Google, for instance, offer a tiny bit of cloud storage for free. For most people, that’s not enough, and you’ll have to shell out for a paid tier.
“This is generally worth it to seamlessly transfer to another device without data loss in case your handset goes missing forever,” DeGrippo said.
Your device manufacturer or carrier may have backup options, too, if you want to do some price and feature shopping.
If you’re especially afraid of losing your backup, you can do what I do: back it up to the cloud as well as your laptop, and then back your laptop up to a password-protected external disk drive that you store in a water- and fire-proof safe. This is probably excessive and unnecessary for most people, but it does protect you from many of the worst-case scenarios.
But your work isn’t done yet. You also want to make sure you know how to access that backup if you need it. As I learned, your phone can’t be the sole point of access to your backup. That may also mean making sure that the passwords or authentication codes you need to log into your cloud account can be accessed outside your phone (more on this later).
Your phone may not be as lost as you think
These days, phones and many other devices come with locator services, like Apple’s “Find My.” Make sure you’ve both activated it and know where and how to access it on another device (assuming you have one) if the worst happens.
This was how I got my phone back, by the way: after a half hour of panicking, I remembered I had Find My set up on my phone and laptop, and used my computer to find my phone (it was under my pillow a few feet away the whole time). You might not be so lucky, but locator services are good for that, too: They often allow you to remotely wipe your device if you fear it’s fallen into the wrong hands. (Hopefully you’ve done your backup homework so you aren’t actually losing anything if you do have to wipe your phone).
You can even put a message on the device for whoever has it to see. I can personally attest to the usefulness of that: I left my laptop on a bus years ago. I put a plea for its return (and a reward offer) on the laptop screen. I got my computer back. Instructions on how to use Apple’s “Find My” service can be found here, and Google has an option for finding Android devices.
“Test out these kinds of features so when you really need them, you’ll know exactly how to find them. Further, make sure to enable the find feature on all your devices, so when you lose one, the others can locate it for you,” DeGrippo said.
You may also want to consider sharing your location (which is really your device’s location) with someone you trust. This concept is bizarre to me, a privacy reporter, but it’s something plenty of people do, and that experts recommend. And not just for finding a lost phone, either.
“I do this with my friends and family and it makes me feel safer knowing someone always has a general idea of where I am,” DeGrippo said. “Only share this with people who you trust, under the idea that it is always safer for that person to know where you are.”
Remember, you can revoke that access anytime for whatever reason.
The cybersecurity measures that could make you life harder (but you should still do them)
Now that you’ve done everything you can to back your phone up and possibly even locate it if it goes missing, you should think about if and how you can get into all of the apps and services you’ve put on your phone if you don’t have said phone.
If you use the same password for virtually everything and don’t have multifactor authentication on your accounts, then it’ll be easy to get back into them, assuming they have a web version and you have access to a second device. Enter that one password that you’ve surely memorized by now and you’re in.
But! This is also a terrible plan, because it makes it easy for anyone else to get into your account, too. Your password is only as safe as the worst company you’ve entrusted it to. All you need is for one of the countless websites and apps you use that password for to have a data breach, and you’re screwed. I speak from experience. Trust me, you don’t want to log into your bank account and see that most of your life savings has been wired out of it because Tumblr got hacked.
Choose unique, strong passwords for all of your accounts. That way, if a password is exposed in a data breach, the damage will be limited to just one account. Of course, that would mean you also need to remember all of those passwords. And that’s where a password manager comes in.
“I highly recommend everybody has a password manager and learns how to use it,” Casey Oppenheim, co-founder and CEO of security and privacy software developer Disconnect, said.
Apple and Google have password managers built right into their services, which makes creating and storing those passwords a quick and simple process. A few taps and you’re good.
You can also try a third-party app like LastPass or 1Password, though you might have to pay for them. I used the free version of LastPass, which meant I only had access to it through my phone (the paid version lets you use it on multiple devices). Which was fine until I thought I lost my phone and realized it wasn’t.
“Ideally, it’s a password manager that is not just on your phone, but you can access it on the web,” Oppenheim said. “That’s not as secure, but I think for most people, you want to be able to access your password manager not just locally on your device.”
(It’s worth pointing out that LastPass has had some significant security issues over the last year, which it wasn’t very forthcoming about. Keep that in mind when choosing which password manager to use.)
When you set up one of these third-party password managers, you’ll have to give your account a master password — the password to get into your passwords. Do not store this password on your phone, for reasons that should be obvious by now. Keep it somewhere safe and ensure that you’ll remember it if you ever happen to need it.
Even if you can’t get into your password manager, it won’t be the end of the world. Humans are fallible and forgetful, and so we have password reset options. Just make sure you have access to whatever you’ll be getting those reset codes and links on if your phone is gone. If the reset code comes via a text, for example, that’s not very helpful.
That brings us to the second security measure that you really should do, but could make things difficult if you lose your phone: multifactor authentication. If you do this through texts (a strategy you might want to rethink) or an authenticator app, you risk losing access to your accounts if you lose your phone. Getting that access back may be difficult, if not impossible.
If that’s why you’ve been avoiding using multifactor authentication in the first place, it shouldn’t be. There are easy ways to get authentication codes even if you lose your phone. The trick is to make sure you’ve set that up. Instructions to do so for Authy, for example, are here. Google Authenticator finally made this option available in April. If your authenticator app has a master password, save it somewhere safe that isn’t your phone, just like you should for your password manager’s password.
If you’re one of the many people who rely on text-based authentication, you can always connect a second device, like a tablet, to your messaging app so you’re still getting texts even if you don’t have your phone. Just remember that’ll mean all of your texts, not just the authentication code ones, will go to that device, too.
Finally, when you set up multifactor authentication on accounts, you should also get recovery codes that will let you back into your account even if you can’t access your authentication method. Here’s how to get them for your Instagram account, for example. But you have to print those out or write them down and keep them somewhere safe — again, that place is not your phone. You could even take screenshots and put those on another device. There’s a bit of a debate within the security community on whether you should be storing master passwords and recovery codes on other devices or offline, but the general consensus seems to be: use the method that works best for you and is relatively secure.
This is the last step in a process that some people already think has too many steps, but I assure you that, for most people, it’s not that hard and you’ll be very glad you did it if the need ever arises … or very sorry that you didn’t.
Put a second layer of protection on your apps
While we’re on the topic of your phone getting lost or stolen, this might be a good time to make sure that someone else still can’t get the keys to your life even if they get into your phone — which is a possibility even if you’ve locked it with something like Face ID.
Many apps give you the option to add an app-specific lock. When you think about all of the really important things that can be accessed through your phone and the consequences if they fell into the wrong hands — bank accounts, payment apps, password managers, and authentication apps, to name a few — you may find that’s very much worth the few extra seconds it takes to unlock the apps when you need them.
If you use Face ID, it really couldn’t be easier. A passcode takes a little longer, and if you go that route, just make sure the code isn’t the same as what you use to unlock your phone, and isn’t something that can be easily guessed. Setting this up is easy (here’s the instructions for Venmo, for example), and most apps that have the really important stuff, like financial data or access, offer it.
Finally, once you’ve got all of these measures in place, take a little bit of time to make sure you know what you have, where, and how to use it. When you first realize your phone is lost, broken, or stolen, panic might make you forget all the things you set up to protect and prepare yourself. The tool I ultimately used to find my phone was right there the whole time, but it took half an hour before I remembered it was an option. Part of the reason why is that I hadn’t used the “Find My” app on my computer in years.
Hopefully, you’ll never need to actually use any of these things, although the chances that you’ll lose access to your phone at some point — even if it’s just lost in your home for half an hour — are pretty good. If you’ve done the work to prepare for the worst, you’ll be in a much better place if it ever happens.
Update, November 17, 5:45 pm ET: This story has added a mention of LastPass’s security breaches.
