Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

The Easily-avoidable Risk of Two-factor Authentication

I’m a very strong believer in using two-factor authentication for important online accounts. For example, I rely heavily on Gmail and I have it protected using Google’s two-factor authentication option. Even if they somehow got my password, a hacker still wouldn’t be able to get in.

Two-factor authentication (often referred to as multi-factor authentication, 2FA, or MFA) adds the requirement of “something you have” to “something you know” in order to log in to an online service.

You’re already familiar with something you know: that’s a password. Something you have might be a mobile phone capable of receiving a text message, an authenticator application running on a mobile device, a dedicated key fob, or even a specialized USB device. Two-factor authentication simply means that you provide not only a password, but you must also prove that you have the second factor in your possession. If you don’t, you can’t log in even if you know the password.

Neither can hackers – and that’s the point.

Failing to prepare for loss of that second factor, however, is an easily overlooked, yet easily avoidable risk of two-factor authentication. The risk? Losing access to that important account … forever.

Become a Patron of Ask Leo! and go ad-free!

The scenario: losing “something you have”

It’s one of the first questions to come up whenever I talk about two-factor authentication: What happens if I lose whatever the second factor is? In other words, how do I get into my account if I don’t have the “something you have” component?

It’s a very, very valid concern.

In my case, for example, I have several accounts that require that I have my mobile phone in order to log in. I can’t tell you the number of times I’ve attempted to log in to LastPass on my laptop in my family room (where I have LastPass set at its most secure), only to be forced to get up and go back to my office and get my phone.

What if? What if I didn’t have my phone? What if I were traveling, and I lost my phone?

This scenario is something that two-factor authentication designers realized would be an issue from the beginning. The result? Recovery codes.

Two-factor authentication recovery codes

Two-Factor Authentication Codes

When you initially set up two-factor authentication, you’re also provided with recovery information. They vary in style, but typically include:

  • Recovery codes: complex codes you can use to log in without the second factor present.
  • One-time passwords: one or more passwords that you can use exactly one time each to log in without the second factor present.

Once logged in successfully, the idea is that you would then re-establish two-factor authentication with a new, replacement device, or turn it off completely until you can.

But … wait … log in without the second factor? Doesn’t that negate the security offered by two-factor authentication?

Not at all.

Keeping two-factor authentication recovery codes secure

Remember, you only need recovery codes if you lose your second factor. The rest of the time, they’re completely unnecessary.

I have yet to need one of my recovery codes.

The issue, of course, is that these recovery codes are like a magic key to get into your account. If anyone besides you could get them, they could get into your account and cause all sorts of havoc.

That’s why it’s critical to keep them secure.

Suggestions include:

  • Print the recovery codes out and keep those print-outs in a safe location, such as a personal safe or safety deposit box.
  • Save them digitally to a known and extremely secure location.
  • Save them digitally, encrypting the file(s) with tools like AxCrypt, 7-zip, BoxCryptor or others, and then back them up appropriately.

Needless to say, it’s the last one that I do. They’re encrypted and backed up in such a way that I should be able to recover them no matter where I am – even when traveling1.

But as it turns out, that’s not even the biggest issue.

Keeping two-factor authentication recovery codes … at all!

Unfortunately, too many people apparently fail to save the recovery codes at all. Or they forget where the codes are kept.

You can probably guess what happens when they lose their second factor: they lose their account. Completely, permanently, and without recourse.

Now, to be fair, I have to add that permanent loss is only a risk “in many cases”. There may be alternative authentication mechanisms that banks and other institutions employ to confirm you are who you say you are. I suspect, and even hope, that they’re quite a hassle (if they were easy, hackers could employ them). But when it comes to that free email account? Lost and gone forever.

People forget their passwords all the time. I’ve done it myself2. The typical admonition is simple: don’t do that. Remember your passwords!

When you add a second authentication factor, the advice is, so to speak, doubled: don’t lose the recovery codes. Keep them secure, and remember where you kept ’em.

Do that, and you’ll have all the security of two-factor authentication, without inadvertently locking yourself out should you lose your phone,  fob, USB device, or other second factor.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,


Podcast audio


Footnotes & references

1: In theory. In complete honesty, I’ve never had to test this scenario, and I hope I never have to. 🙂

2: Not for any important account, mind you. Typically it happens when I return to an account I’d set up years earlier and forgotten about – clearly not important.

11 comments on “The Easily-avoidable Risk of Two-factor Authentication”

  1. How do I set up 2-factor authentication? You described the problems and possibilities of recovering the lost 2nd factor but don’t tell how to set up the system to begin with.

  2. Recovery codes are good, but the belt and suspenders choice is to use Authy.

    I’ve never worried too much about losing my phone, but resetting it is a huge pain because I have so many accounts with two-factor authentication. Now, because of Authy, resets are simple and straightforward. And if, by some bizarre chance, I should lose my phone and my computer should crash–without a backup–all in the same day, I’ll still be okay.

  3. Leo, here is my problem with Gmail 2-step authentication. I have used it off and on, but always end up doing away with it. Here is the reason: no matter how many times I check the box that says “Do not ask for codes on this computer”, it asks me every single time, and I simply get sick of that. Can you help me solve that issue? If so, I will be happy to do the 2-step with Gmail again. Many thanks!

  4. There is a brilliant place to hide computer passwords: Inside the case of the desktop computer. A laptop could have the passwords inside the battery compartment. If you are totally paranoid, you could add a character or two to the front and/or back of the passwords, as long as you remember what you did, so the passwords won’t work even for a determined thief.

  5. I wish more websites would allow you to provide a landline phone number to receive a voice message with the security code for those who don’t check their emails wherever they go. No need to worry about losing a landline phone, plus it seems more secure than a mobile phone. Is there any particular reason why some websites, such as Yahoo email, insist that only a mobile phone number be provided for 2-factor authentication?

    • So I researched Yahoo’s 2FA, and they support voice. I added my land line, and got a call. Then logging in to an in-private browser session I got a number of options for the seceond factor including my landline, mobile (text or call on either), as well as email to an alternate email address. Here’s pic of all my options:

      So even though it asks for a mobile number, I’m thinking you have many more options than just that.

  6. In all my years of establishing online accounts with various small and large financial institutions, I don’t recall ever receiving recovery codes or one-time passwords as part of the process of setting up Two-Factor Authentication. It would be great if I did because my big worry is that, as this article mentions, the second factor could be lost, stolen, or broken. And if that happens, then what?

    I sure hope Leo was exaggerating a bit about the risk of “losing access to that important account … forever.” What if that 2FA account held a substantial chunk of change?!

    I better check with my financial institutions to see whether they had offered any recovery methods for 2FA accounts. Hopefully, it wasn’t an oversight on my part – and hopefully they have recovery methods now.

    • Banks, businesses, and financial institutions will always have another way to get you access. For example if I lost access to my online banking, I walk in to the bank where they vet me and restore access.

      It’s free accounts with no customer support (Gmail, Facebook, etc.) that are most often “lost forever”. Generally people that take the time to set up two-factor generally do all the other things right (like recovery addresses) so they rarely lose things.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.