Operating Guide: Rebuild Authority After a Lost Device

A lost device is not only missing hardware. It is a contested package of sessions, approvals, identity evidence and recovery routes.

The answer

Do not begin by buying a replacement. Begin by deciding which authority may still be alive on the missing device. - Mark the device lost in the asset and incident records with time, owner and last known state.

Do not begin by buying a replacement. Begin by deciding which authority may still be alive on the missing device.

Phase 1 — contain the old authority

- Mark the device lost in the asset and incident records with time, owner and last known state.

- Use device-management controls to lock or wipe it where available; preserve the command evidence.

- Revoke active sessions, application tokens, browser sessions and device-bound credentials.

- Suspend high-consequence approvals that relied on the device until they are re-established.

- Notify physical security or travel operators if location data creates a safety consequence.

A password reset alone is inadequate. Messaging apps, cloud sessions, password managers, signing applications and trusted-device status may survive independently.

Phase 2 — establish the claimant

Verify the person through a pre-agreed channel that does not depend on the lost device or facts stored on it. Use two people for a principal, finance authority or administrator. Record who observed the verification and what evidence was used.

Do not let urgency lower the standard. A real principal in distress and an impersonator applying pressure can sound identical.

Phase 3 — issue a clean device

- Use known inventory or a device sourced through an approved route.

- Apply the current security baseline before adding personal data.

- Restore only required applications and data; do not clone every unknown state.

- Re-enrol strong authentication from a controlled workstation or recovery station.

- Create new recovery codes and invalidate the old set.

Phase 4 — rebuild authority in rings

Restore communication first, information access second and transaction authority last. For 24 to 72 hours, require secondary confirmation for money movement, credential changes, new payees, legal instructions and sensitive exports.

This ring model limits the blast radius if the recovery itself was manipulated.

Phase 5 — reconcile

- Compare accounts and messages for activity between loss and revocation.

- Confirm that the old device no longer appears as trusted.

- Review new rules, forwarding, delegates and recovery contacts.

- Close the incident only when each critical service has evidence of revocation and replacement.

Recovery card

Maintain a sealed one-page card listing the device owner, critical services, emergency revocation routes, independent verification contacts, recovery station and post-recovery restrictions. It should be usable when the owner cannot receive a message.

Sources

  1. NIST — Authentication and lifecycle managementNIST

    Primary authority

  2. NIST Cybersecurity Framework 2.0NIST Cybersecurity Framework 2.0

    Primary authority

Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry