https://help.salesforce.com/s/articleView?id=sf.mfa_recovery_core.htm&type=5
1) User's Verification Method Is Lost or Stolen
Use these access recovery steps if a user registered a verification method but it isn't working when they try to log in. These steps also apply if a user needs to register a method because they have a new mobile device, security key, or computer with a built-in authentication service.
- Issue the user a temporary verification code so they can log in while you resolve their issue. See Generate a Temporary Identity Verification Code.
- Disconnect the user's existing verification method. See Disconnect a User’s Verification Method.
- Help the user re-register their verification method or set up a new method. See Register Verification Methods for Multi-Factor Authentication.
- Expire the user's temporary verification code when it's no longer needed. See Expire a Temporary Verification Code.
2) User Forgot Their Verification Method
- Issue the user a temporary verification code so they can log in and do their work for the day. See Generate a Temporary Identity Verification Code.
- Expire the user's temporary verification code when it's no longer needed. See Expire a Temporary Verification Code.
***
From: https://help.salesforce.com/s/articleView?id=000380378&type=1 (Salesforce Authenticator Troubleshooting)
3) New phone, lost phone, or new installation of Salesforce Authenticator:
If you previously backed up your connected accounts, you can restore your configuration. See Restore Connected Accounts in the Salesforce Authenticator Mobile App to learn how.
- If necessary, remove the account from Salesforce Authenticator, re-configure Salesforce Authenticator, and then (optionally) turn on backup. Information to configure Salesforce Authenticator to your mobile device is available in Connect your Salesforce Account to Salesforce Authenticator.
- If your phone is lost or stolen or have a new phone where the previous phone is not available, please follow the steps in the Immediate Assistance section. Your Salesforce Administrator can remove the connection from the inaccessible phone. Please contact Salesforce Support if the Salesforce Administrator is not able to assist.
Note: Authenticators are not paired with phone numbers, but devices. When a device is changed, the new authenticator/device doesn't know about any connections, so you are presented with a two-word phrase to set up a new connection. Since there is already a connection within Salesforce (remember that the old phone or device still has a connection with us), we ask for that connection. We request a two-word phrase when there is no connection and that is why the Salesforce Admin should remove the old connection.
On the reverse scenario, when Salesforce is asking for a two-word phrase, there is some connection on the Authenticator to an old account, a sandbox account, or a different account. The account being signed in to does have not the Authenticator connection. The connection needs to be added.
See
Remove an Account from Salesforce Authenticator
Connect your Salesforce Account to Salesforce Authenticator
Back Up Your Connected Accounts in the Salesforce Authenticator Mobile App for more information.
Restore Connected Accounts in the Salesforce Authenticator Mobile AppUse Salesforce Authenticator with Your Other Accounts
Get help with Salesforce Authenticator.
See also: How to Use Salesforce Authenticator for MFA LoginsWatch the video, Set Up a Two-Factor Authentication Requirement for Your Org.