I’m a very strong believer in using two-factor authentication for important online accounts. For example, I rely heavily on Gmail and I have it protected using Google’s two-factor authentication option. Even if they somehow got my password, a hacker still wouldn’t be able to get in.
Two-factor authentication (often referred to as multi-factor authentication, 2FA, or MFA) adds the requirement of “something you have” to “something you know” in order to log in to an online service.
You’re already familiar with something you know: that’s a password. Something you have might be a mobile phone capable of receiving a text message, an authenticator application running on a mobile device, a dedicated key fob, or even a specialized USB device. Two-factor authentication simply means that you provide not only a password, but you must also prove that you have the second factor in your possession. If you don’t, you can’t log in even if you know the password.
Neither can hackers – and that’s the point.
Failing to prepare for loss of that second factor, however, is an easily overlooked, yet easily avoidable risk of two-factor authentication. The risk? Losing access to that important account … forever.
The scenario: losing “something you have”
It’s one of the first questions to come up whenever I talk about two-factor authentication: What happens if I lose whatever the second factor is? In other words, how do I get into my account if I don’t have the “something you have” component?
It’s a very, very valid concern.
In my case, for example, I have several accounts that require that I have my mobile phone in order to log in. I can’t tell you the number of times I’ve attempted to log in to LastPass on my laptop in my family room (where I have LastPass set at its most secure), only to be forced to get up and go back to my office and get my phone.
What if? What if I didn’t have my phone? What if I were traveling, and I lost my phone?
This scenario is something that two-factor authentication designers realized would be an issue from the beginning. The result? Recovery codes.
Two-factor authentication recovery codes
When you initially set up two-factor authentication, you’re also provided with recovery information. They vary in style, but typically include:
- Recovery codes: complex codes you can use to log in without the second factor present.
- One-time passwords: one or more passwords that you can use exactly one time each to log in without the second factor present.
Once logged in successfully, the idea is that you would then re-establish two-factor authentication with a new, replacement device, or turn it off completely until you can.
But … wait … log in without the second factor? Doesn’t that negate the security offered by two-factor authentication?
Not at all.
Keeping two-factor authentication recovery codes secure
Remember, you only need recovery codes if you lose your second factor. The rest of the time, they’re completely unnecessary.
I have yet to need one of my recovery codes.
The issue, of course, is that these recovery codes are like a magic key to get into your account. If anyone besides you could get them, they could get into your account and cause all sorts of havoc.
That’s why it’s critical to keep them secure.
- Print the recovery codes out and keep those print-outs in a safe location, such as a personal safe or safety deposit box.
- Save them digitally to a known and extremely secure location.
- Save them digitally, encrypting the file(s) with tools like AxCrypt, 7-zip, BoxCryptor or others, and then back them up appropriately.
Needless to say, it’s the last one that I do. They’re encrypted and backed up in such a way that I should be able to recover them no matter where I am – even when traveling1.
But as it turns out, that’s not even the biggest issue.
Keeping two-factor authentication recovery codes … at all!
Unfortunately, too many people apparently fail to save the recovery codes at all. Or they forget where the codes are kept.
You can probably guess what happens when they lose their second factor: they lose their account. Completely, permanently, and without recourse.
Now, to be fair, I have to add that permanent loss is only a risk “in many cases”. There may be alternative authentication mechanisms that banks and other institutions employ to confirm you are who you say you are. I suspect, and even hope, that they’re quite a hassle (if they were easy, hackers could employ them). But when it comes to that free email account? Lost and gone forever.
People forget their passwords all the time. I’ve done it myself2. The typical admonition is simple: don’t do that. Remember your passwords!
When you add a second authentication factor, the advice is, so to speak, doubled: don’t lose the recovery codes. Keep them secure, and remember where you kept ’em.
Do that, and you’ll have all the security of two-factor authentication, without inadvertently locking yourself out should you lose your phone, fob, USB device, or other second factor.