Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

A Lost-Second-Factor Tale of Woe and How to Avoid Your Own

You shouldn’t have a problem if you lose your second factor — if you prepare.

A tech journalist lost his phone and encountered issues recovering a two-factor-protected account. We can all learn from his experience.
Authy. Part of the solution. (Screenshot: askleo.com)
Authy. Part of the solution. (Screenshot: askleo.com)

I recently ran into this post from another tech journalist, Bob Sullivan: When my smartphone was stolen, Instagram (and 2FA) was the worst part — or, why you won’t see pics of my dog’s costume this Halloween. Ultimately, it’s an indictment of Instagram’s lack of customer support, but the issues run deeper.

My take? Had there been just a little additional preparation, even with crappy support this didn’t have to happen.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

If you've lost your second factor

All two-factor implementations have backup techniques for regaining access to your account should you lose your second factor. It’s important that those be set up beforehand. Specifically, for Google-Authenticator-compatible two-factor, there are two steps you can take to further secure yourself from loss: screenshotting the QR code or using a compatible authentication app like Authy instead.

This isn’t about the journalist

I’m not dissing the journalist. He did everything right. He could have done more or made different choices — which I’ll outline below — but he followed instructions and standard procedures.

However, “stuff” happens. I’m sure someday it might happen to me as well.

The trick is to examine what happened and what might have been done differently to avoid the situation. I want to use his experience as a springboard for steps we can all consider taking to stack the deck in our favor should we ever find ourselves in a similar situation.

Google Authenticator

… I didn’t really lose anything. Except my sanity as I tried to log back into sites where I had employed Google Authenticator. You see, there is no way to restore that.

That right there is the root of the problem. Technically, he’s absolutely right. Google Authenticator installs on one device. Lose that device, and you lose your authenticator.

Pragmatically, though, he’s wrong.

There are at least two ways to protect yourself from that loss when you set up two-factor authentication.

Low tech: the screen shot

When you associate Google Authenticator with your account, you’re presented with a QR code you scan with the Google Authenticator app on your smartphone.

Google Authenticator QR Code.
Google Authenticator QR code. (Screenshot: askleo.com)

Take a screenshot of that QR code before you scan it, like I did above. Now save that image in a safe place. (I like to save the QR code in my password manager’s secure notes.)

If you ever lose the device with your Google Authenticator, all you need to do is replace the device, install Google Authenticator, and scan the saved QR code. Done. You have your second factor again.

If saving the image is something you can’t or don’t want to do, there’s often a text key equivalent. In the image above, if I click on “Can’t scan it?” I’m taken to a page with the key in text form:

Text based key alternative to QR-code.
Text-based key alternative to the QR code. (Screenshot: askleo.com)

Save that key somewhere secure. Once again, should you lose your device, you can use that key to re-establish the exact two-factor authentication you had to begin with.

I used to do this.1 Now I do something else entirely.

Authy

I use Authy instead. Authy is compatible with Google Authenticator.

Windows Desktop version of Authy.
Windows desktop version of Authy. (Screenshot: askleo.com)

There are two features that make it preferable to Google Authenticator:

  1. If you apply a “backup password” feature, it encrypts all your two-factor codes and backs them up to the cloud.
  2. You can then install Authy on multiple devices, and it will synchronize your two-factor codes across them all.

For example, when I’m asked for a two-factor code, I have a choice: I can reach into my pocket and run Authy on my smartphone, or I can fire up the Authy app in Windows. Each has the codes I need to sign in.

So if I lose my phone, the recovery process is simple:

  • Replace phone.
  • Install Authy.
  • Sign in to Authy.

Good to go.

In addition, if you have Authy installed on another device, you can use that device to get your two-factor codes while you’re waiting for your replacement phone.

Recovery mode

So every site which required an Authenticator code now required an alternative sign-in process.

This is the standard safety net for losing your second factor. All services have this. It’s typically the equivalent of the “lost password” approach to account recovery. You’ll typically be prompted for some of the alternative information associated with your account, like an alternate email address or phone number, to prove you should have access to the account. In a sense, these methods become a kind of backup second factor for the recovery process.

And it normally works, as long as you have those recovery methods set up ahead of time, and have kept them up to date.

This process actually worked for our journalist … until he encountered roadblocks with his Instagram account.

Customer service: worth every penny you pay

when security isn’t accompanied by customer service, it’s a failure.

100%. No argument.

When Sullivan found himself in need of assistance to recover one of his accounts, Instagram’s customer service failed big time.

But (and many won’t like this) this is what you should expect from a free service.

I regularly tell people that there is no support for free services. You are on your own and should behave accordingly. That may mean using the service differently or taking special care to ensure that login procedures work and are up to date. It definitely means making sure that alternate contact methods are always kept up to date.

You run the risk of losing your account forever if you do not.

Case in point.

Do this

Either of the two alternatives I’ve mentioned —  a screenshot of the QR code or using Authy — would have avoided the problem Sullivan ran into. If you’re using Google-Authenticator-compatible two-factor authentication — which I highly recommend and use myself wherever I can — consider doing one or the other.

You can even do both, as I sometimes do for extra-important accounts or accounts of others I’m assisting.

I talk about practical security and safety nets like this in my weekly newsletter.  Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: I still do it for clients. I tend to keep the images or the keys in the secure notes section of my password manager.

14 comments on “A Lost-Second-Factor Tale of Woe and How to Avoid Your Own”

  1. I assume the Microsoft Authenticator app works the same way as Google Authenticator.
    A couple of years ago, I obtained some Yubikeys and use them as my second factor for accounts that accept them. Yubico has their own authenticator app that can be used on sites that the key cannot be used. There is a desktop and Android version available. I also have the codes that were used with the Yubico Authenticator saved and stored in a file to simplify adding or replacing keys.
    Password managers, such as Bitwarden, have the capacity to act as authenticators also.
    Bottom line is that after reading about situations described in the article, I’ve made sure I have more than one way to get into or recover an account and periodically check that they all work or are up to date. So far, I’ve not had a problem but I’m comfortable knowing it would be a minor inconvenience if one arises.

    Reply
  2. On my Amazon Fire HD 10+, at least, the screenshotting of Google Authenticator’s QR Code is disabled. But I’ll certainly look into the “text key” bit!

    Reply
  3. Hi Leo and thanks for the article.

    Re screen shot of the Google Authenticator QR code.

    If you have already set up Google Authenticator, is there still a way to see the original QR code again, to screen shot it, or do you have to start from scratch and set it up afresh with a new QR code?

    Reply
  4. I have iCloud on my PC. About once a month it requires me to go through the whole login-authentication process. My iPad is my one and only Apple device, so the authentication takes place on that. I’ve often wondered how I would do the authentication if I don’t have access to my iPad.

    Reply
  5. Hi Leo,
    What alternatives do you suggest when traveling outside the US and using a sim card for another country, as the phone will have a different phone number?

    Reply
    • I travel between the US and Germany regularly. I have a phone with a dual SIM slot. I get my verification texts in either country at no cost. If your carrier charges to receive texts in another country, it would only be a few cents.

      If you have an older GSM (SIM card) phone, you can use that for verification, or you can get a cheap, non-smart phone for about $20. Before I had my dual SIM phone, I’d travel with two phones.

      Reply
    • Check with your provider. Mine (Verizon) has a plan where my phone just worked normally as I travelled to the Netherlands. If that’s not an option, then do what you can to AVOID SMS based 2-factor, and use Google Authenticator compatible instead. It doesn’t rely on phone networks.

      Reply
  6. @Phillip Hartney (November 29, 2022 at 8:14 pm) (Clicking reply underneath his comment doesn’t do squat)

    There is a way:
    – Open Authenticator
    – Tap on the More menu (the three vertical dots)
    – Tap on Transfer accounts
    – Tap on Export accounts
    – Take a picture of the first QR code
    – Tap on Next
    – Take a picture of the second QR code
    – Tap Done

    Then if you ever need to transfer your accounts to another device you use the Import feature. Of course, you better do the export every time you add an account.

    Worked for me. And thanks for the great tip, Leo! :-)

    Reply
  7. Hi Leo,
    We have known each other for a long time,our computers, that is,and I picked up some stuff over the years,that help me understand much about about computers,and as my friends and relative,became computerized,in the old country ,a little later,it made it easier and inexpensive to get and keep in touch.
    So Leo, if you get into the next stage,and figure out the releportaging part,I volunteer to be your
    test subject.
    Cheers
    Joe

    Reply
  8. Hi Leo,
    I’ve been reading about 2FA for a while now. However, everything I read seems to point towards smart phones. Does any of it pertain to a computer. I don’t own a smartphone (long story). I have my computers, laptops and an android tablet (the store I bought it from unlocked it so I can’t even do updates with it) so it’s pretty much worthless. Do you have any previous posts concerning 2FA for computers??

    Thank you in advance.

    Reply
    • There are several forms of 2FA that apply to computers if you have no smartphone.

      • Alternate email addresses
      • Landline
      • Security keys like YubiKey
      • Other-device confirmation (i.e. a notice pops up on another machine you’re signed into to authorize the sign-in

      The problem is simply that not all services offer all these alternatives. The only thing you can do is examine the service’s options and see which ones apply to you.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.