Losing access to your two-factor authenticator — whether your phone, authenticator app, or hardware security key — is stressful. This guide explains every available recovery route and how to secure your account once you are back in.
Step 1 — Try your backup recovery codes first
When you first set up two-factor authentication, you were given a set of one-time backup recovery codes. Each code works once and is used in place of the authenticator code on the sign-in screen. If you stored these (in a password manager, encrypted document, or printed copy in a secure place), use one now:
- Go to clients.credicorp.co.uk/login and enter your email and password.
- When prompted for your two-factor code, look for a link that says Use a recovery code or Other options.
- Enter one of your backup codes. Each code is single-use — once entered, it cannot be used again.
- Once in, immediately go to Settings → Security and set up a new authenticator on your new device. Generate a fresh set of recovery codes and store them safely.
Step 2 — Try an alternative sign-in method
If you have a passkey enrolled on a different device (for example, a passkey on your laptop when your phone is lost), you may be able to sign in that way instead of using the authenticator. Check whether you set up a passkey on any other device or in a password manager.
Step 3 — Use an SMS fallback (if enabled)
If your account is configured to send a one-time code by text message as a fallback, and you still have access to the registered mobile number, you can request a code by SMS from the two-factor prompt. This only works if the number has not changed and you have the SIM card.
Step 4 — Contact our support team for identity-verified recovery
If none of the above options are available — your backup codes are lost, you have no other passkey, and you cannot receive an SMS — you will need to go through our identity-verified account recovery process. This exists specifically for this situation.
- Use the Account access enquiry form to submit a recovery request. Do not attempt to create a new account.
- Our team will initiate a verification call to the mobile number registered on your account. We will ask you to confirm a series of details that only you should know about your company and account.
- Once your identity is confirmed, we will temporarily disable two-factor authentication on your account and send a reset link to the email address registered to your account.
- Follow the reset link to sign in, then immediately set up a new authenticator and a fresh set of recovery codes before using the account for anything else.
Identity-verified recovery involves a human review. We cannot bypass this step for speed — it is what protects your account from an attacker also claiming to have lost their authenticator. The process typically completes within one business day once we have spoken to you. If your business has an urgent payment or account action, tell us and we will prioritise.
What to do after you recover access
Once you are signed in again, do all of the following:
- Set up 2FA on your new device — go to Settings → Security and enrol a new authenticator app.
- Generate new recovery codes — your old codes should be considered expired. Generate a new set and store them in your password manager or a secure offline location.
- Remove the old authenticator — if the old device is gone, remove it from your security settings. This stops the old authenticator being usable even if it is recovered by someone else.
- Enrol a second recovery route — register a passkey on a second device, or store recovery codes in two separate secure locations, so losing one device never leaves you without a recovery route again.
- Review recent account activity — check your transaction history and account access log for any activity that should not be there. If you see anything suspicious, contact us immediately.
How to avoid this situation in future
The most effective preventive measures are:
- Store recovery codes in a password manager (1Password, Bitwarden, iCloud Keychain) rather than relying on memory or a note you might lose.
- Register a passkey as a second sign-in route — see setting up a passkey for your Credicorp account.
- Use an authenticator app that backs up to the cloud — apps that sync to iCloud or Google account will survive a lost or broken phone, as long as you can restore onto a new device.
- Print one copy of your recovery codes and keep it somewhere physically secure (a locked filing cabinet, a safe), separate from the device itself.
See also: How do I set up two-factor authentication?, Setting up a passkey for your Credicorp account, I cannot sign in to my account.