You shouldn’t have a problem if you lose your second factor — if you prepare.
I recently ran into this post from another tech journalist, Bob Sullivan: When my smartphone was stolen, Instagram (and 2FA) was the worst part — or, why you won’t see pics of my dog’s costume this Halloween. Ultimately, it’s an indictment of Instagram’s lack of customer support, but the issues run deeper.
My take? Had there been just a little additional preparation, even with crappy support this didn’t have to happen.
Become a Patron of Ask Leo! and go ad-free!
If you've lost your second factor
All two-factor implementations have backup techniques for regaining access to your account should you lose your second factor. It’s important that those be set up beforehand. Specifically, for Google-Authenticator-compatible two-factor, there are two steps you can take to further secure yourself from loss: screenshotting the QR code or using a compatible authentication app like Authy instead.
This isn’t about the journalist
I’m not dissing the journalist. He did everything right. He could have done more or made different choices — which I’ll outline below — but he followed instructions and standard procedures.
However, “stuff” happens. I’m sure someday it might happen to me as well.
The trick is to examine what happened and what might have been done differently to avoid the situation. I want to use his experience as a springboard for steps we can all consider taking to stack the deck in our favor should we ever find ourselves in a similar situation.
… I didn’t really lose anything. Except my sanity as I tried to log back into sites where I had employed Google Authenticator. You see, there is no way to restore that.
Pragmatically, though, he’s wrong.
There are at least two ways to protect yourself from that loss when you set up two-factor authentication.
Low tech: the screen shot
When you associate Google Authenticator with your account, you’re presented with a QR code you scan with the Google Authenticator app on your smartphone.
Take a screenshot of that QR code before you scan it, like I did above. Now save that image in a safe place. (I like to save the QR code in my password manager’s secure notes.)
If you ever lose the device with your Google Authenticator, all you need to do is replace the device, install Google Authenticator, and scan the saved QR code. Done. You have your second factor again.
If saving the image is something you can’t or don’t want to do, there’s often a text key equivalent. In the image above, if I click on “Can’t scan it?” I’m taken to a page with the key in text form:
Save that key somewhere secure. Once again, should you lose your device, you can use that key to re-establish the exact two-factor authentication you had to begin with.
I used to do this.1 Now I do something else entirely.
I use Authy instead. Authy is compatible with Google Authenticator.
There are two features that make it preferable to Google Authenticator:
- If you apply a “backup password” feature, it encrypts all your two-factor codes and backs them up to the cloud.
- You can then install Authy on multiple devices, and it will synchronize your two-factor codes across them all.
For example, when I’m asked for a two-factor code, I have a choice: I can reach into my pocket and run Authy on my smartphone, or I can fire up the Authy app in Windows. Each has the codes I need to sign in.
So if I lose my phone, the recovery process is simple:
- Replace phone.
- Install Authy.
- Sign in to Authy.
Good to go.
In addition, if you have Authy installed on another device, you can use that device to get your two-factor codes while you’re waiting for your replacement phone.
So every site which required an Authenticator code now required an alternative sign-in process.
This is the standard safety net for losing your second factor. All services have this. It’s typically the equivalent of the “lost password” approach to account recovery. You’ll typically be prompted for some of the alternative information associated with your account, like an alternate email address or phone number, to prove you should have access to the account. In a sense, these methods become a kind of backup second factor for the recovery process.
And it normally works, as long as you have those recovery methods set up ahead of time, and have kept them up to date.
This process actually worked for our journalist … until he encountered roadblocks with his Instagram account.
Customer service: worth every penny you pay
when security isn’t accompanied by customer service, it’s a failure.
100%. No argument.
When Sullivan found himself in need of assistance to recover one of his accounts, Instagram’s customer service failed big time.
But (and many won’t like this) this is what you should expect from a free service.
I regularly tell people that there is no support for free services. You are on your own and should behave accordingly. That may mean using the service differently or taking special care to ensure that login procedures work and are up to date. It definitely means making sure that alternate contact methods are always kept up to date.
You run the risk of losing your account forever if you do not.
Case in point.
Either of the two alternatives I’ve mentioned — a screenshot of the QR code or using Authy — would have avoided the problem Sullivan ran into. If you’re using Google-Authenticator-compatible two-factor authentication — which I highly recommend and use myself wherever I can — consider doing one or the other.
You can even do both, as I sometimes do for extra-important accounts or accounts of others I’m assisting.
I talk about practical security and safety nets like this in my weekly newsletter. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: I still do it for clients. I tend to keep the images or the keys in the secure notes section of my password manager.