Recent Articles
Optimizing Workflow with Custom Apps in FileMaker
Help! My Account Has Been Hacked—What Should I Do?
Use iOS 17.3’s Stolen Device Protection to Reduce Harm from iPhone Passcode Thefts
You Can Now Have Zoom Meetings on an Apple TV
Cranston IT adds SentinelOne and Huntress Cybersecurity Tools
Concerned by the Privacy or Results of Google Search? Try These Other Search Engines
Improve Your Digital Security in 2024 with These New Year’s Resolutions
Four Solutions to Gotchas in macOS 14 Sonoma
Nine Ways of Moving Data from One Mac to Another
No, NameDrop in iOS 17 Isn’t a Privacy Concern. Here’s How to Use It
How Apple Products Transform IT Efficiency in Facilities
New M3 Chip Family Powers Updated MacBook Pros and 24-inch iMac
Use iOS 17's Check In Feature to Reduce Worry
Want to Password-Protect a PDF? Follow These Best Practices
Cisco's Success With Apple In The Enterprise Is No Surprise
What Goes into Being an Apple Certified Support Professional
Is Your Mac Running Low on Disk Space? Here's How to Delete Unnecessary Files
Tired of Nonstop Cookie Popups? Dismiss Them Automatically with These Extensions
Networking Gear Does Wear Out—Suspect It in Internet Slowdowns and Dropouts
Understanding Apple in the Enterprise According to Survey Results
Things You Need to Know Before Moving to a New iPhone
What Should You Do about an Authentication Code You DIDN'T Request?
Protect Your Tech from Storms
Why Hiring a Mac Consultant in Pittsburgh is Your Key to Success
Web Workers of the World, Give Arc a Try
Legitimately Worried That You're Being Targeted Online? Try Lockdown Mode
"Juice Jacking" Returns to the News but Still Hasn't Happened
Why Outsourcing IT Services Makes Sense: Cost Savings and Expertise
Meet Tori Woods
Learn to Identify and Eliminate Phishing Notifications
Improve Privacy by Removing Metadata from Office Documents and PDFs
What to Look for in Small Business IT Consulting
What to Do If You’re a Mac User Who Needs Some Windows Software
Apple Starts Releasing Rapid Security Responses for the iPhone, iPad, and Mac
Apple Unveils Vision Pro "Spatial Computer"
Managing Cyber Risk: Essential Cybersecurity and Cyber Insurance Insights
Sidestep MacBook Optimized Battery Charging When Necessary
CranstonIT’s New Self Service
How Often Should Macs Be Replaced?
What to Do If Your iPhone Takes a Plunge
Integrate Your Cloud Storage Service into the Finder
Is Your Wi-Fi Network a Security Risk?
A Practical Guide to Identifying Phishing Emails
Hyland Software – Streamlined Apple Deployment in Enterprise
September 16, 2023

What Should You Do about an Authentication Code You DIDN'T Request?

We strongly encourage using two-factor authentication (2FA) or two-step verification (2SV) with online accounts whenever possible. The details vary slightly, but with either one, after you enter your password, you must enter an authentication code to complete the login. Although it's always best to get such codes from an authentication app like 1Password (which enters codes for you), Authy, or Google Authenticator, many websites still send codes by the less secure SMS text message or email. They're better than nothing.

But what if you receive a 2FA code that you didn't request?

  1. Don't panic. Although receiving the code means that someone is trying to log in to your account and has your password, the extra authentication step has done its job and protected your account from being compromised.
  2. Never share an authentication code with anyone! A hacker could attempt to break into your account, be foiled by two-factor authentication, and then email or text you with a trumped-up story about why you should send them the code. Authentication codes are short-lived, so if this is going to happen, it will happen right away.
  3. Independently from the message with the code, go to the account website, log in, and change the password. As always, make sure the password is strong, unique, and stored in your password manager. If the account used an old password that was shared with other accounts, change passwords on those accounts as well.

There are a handful of scenarios that could generate such an authentication code:

  • Stolen credentials: The most likely scenario, which the advice above addresses, is when your email address and password have been stolen, probably in a significant site breach. You can check the Have I Been Pwned site to see if your account is floating around on the “dark Web.” Password managers often perform similar checks. Changing the password on any breached sites is essential.
  • Identity theft: You started receiving authentication codes from TikTok, but you don't remember creating a TikTok account. Someone might be trying to create an account to impersonate you but cannot complete the account creation without the authentication code. There isn't much you can do to stop such attempts, although if an account has been created, you should be able to change the password (since it's using your email address or phone number), log in, and either just let the account sit in your password manager or try to delete it.
  • Accidental or random triggering: If you have a common email address or phone number, someone could have accidentally entered your address or number instead of theirs while trying to create an account. It's easy to type marsha32@example.com instead of marsha23@example.com or mistake the Boston 617 area code for the upstate New York 607 area code. If you're sure you don't have an account at the site in question and you only get one authentication code, you can probably ignore it.

Regardless of the cause, don't ignore 2FA codes you didn't request for sites where you have an account. It's not hard to change a password, particularly if you use a password manager, and the extra piece of mind is worth the few minutes of work.