Do not begin by buying a replacement. Begin by deciding which authority may still be alive on the missing device.
Phase 1 — contain the old authority
- Mark the device lost in the asset and incident records with time, owner and last known state.
- Use device-management controls to lock or wipe it where available; preserve the command evidence.
- Revoke active sessions, application tokens, browser sessions and device-bound credentials.
- Suspend high-consequence approvals that relied on the device until they are re-established.
- Notify physical security or travel operators if location data creates a safety consequence.
A password reset alone is inadequate. Messaging apps, cloud sessions, password managers, signing applications and trusted-device status may survive independently.
Phase 2 — establish the claimant
Verify the person through a pre-agreed channel that does not depend on the lost device or facts stored on it. Use two people for a principal, finance authority or administrator. Record who observed the verification and what evidence was used.
Do not let urgency lower the standard. A real principal in distress and an impersonator applying pressure can sound identical.
Phase 3 — issue a clean device
- Use known inventory or a device sourced through an approved route.
- Apply the current security baseline before adding personal data.
- Restore only required applications and data; do not clone every unknown state.
- Re-enrol strong authentication from a controlled workstation or recovery station.
- Create new recovery codes and invalidate the old set.
Phase 4 — rebuild authority in rings
Restore communication first, information access second and transaction authority last. For 24 to 72 hours, require secondary confirmation for money movement, credential changes, new payees, legal instructions and sensitive exports.
This ring model limits the blast radius if the recovery itself was manipulated.
Phase 5 — reconcile
- Compare accounts and messages for activity between loss and revocation.
- Confirm that the old device no longer appears as trusted.
- Review new rules, forwarding, delegates and recovery contacts.
- Close the incident only when each critical service has evidence of revocation and replacement.
Recovery card
Maintain a sealed one-page card listing the device owner, critical services, emergency revocation routes, independent verification contacts, recovery station and post-recovery restrictions. It should be usable when the owner cannot receive a message.
