Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

The Easily-avoidable Risk of Two-factor Authentication

I’m a very strong believer in using two-factor authentication for important online accounts. For example, I rely heavily on Gmail and I have it protected using Google’s two-factor authentication option. Even if they somehow got my password, a hacker still wouldn’t be able to get in.

Two-factor authentication (often referred to as multi-factor authentication, 2FA, or MFA) adds the requirement of “something you have” to “something you know” in order to log in to an online service.

You’re already familiar with something you know: that’s a password. Something you have might be a mobile phone capable of receiving a text message, an authenticator application running on a mobile device, a dedicated key fob, or even a specialized USB device. Two-factor authentication simply means that you provide not only a password, but you must also prove that you have the second factor in your possession. If you don’t, you can’t log in even if you know the password.

Neither can hackers – and that’s the point.

Failing to prepare for loss of that second factor, however, is an easily overlooked, yet easily avoidable risk of two-factor authentication. The risk? Losing access to that important account … forever.

Become a Patron of Ask Leo! and go ad-free!

The scenario: losing “something you have”

It’s one of the first questions to come up whenever I talk about two-factor authentication: What happens if I lose whatever the second factor is? In other words, how do I get into my account if I don’t have the “something you have” component?

It’s a very, very valid concern.

In my case, for example, I have several accounts that require that I have my mobile phone in order to log in. I can’t tell you the number of times I’ve attempted to log in to LastPass on my laptop in my family room (where I have LastPass set at its most secure), only to be forced to get up and go back to my office and get my phone.

What if? What if I didn’t have my phone? What if I were traveling, and I lost my phone?

This scenario is something that two-factor authentication designers realized would be an issue from the beginning. The result? Recovery codes.

Two-factor authentication recovery codes

Two-Factor Authentication Codes

When you initially set up two-factor authentication, you’re also provided with recovery information. They vary in style, but typically include:

  • Recovery codes: complex codes you can use to log in without the second factor present.
  • One-time passwords: one or more passwords that you can use exactly one time each to log in without the second factor present.

Once logged in successfully, the idea is that you would then re-establish two-factor authentication with a new, replacement device, or turn it off completely until you can.

But … wait … log in without the second factor? Doesn’t that negate the security offered by two-factor authentication?

Not at all.

Keeping two-factor authentication recovery codes secure

Remember, you only need recovery codes if you lose your second factor. The rest of the time, they’re completely unnecessary.

I have yet to need one of my recovery codes.

The issue, of course, is that these recovery codes are like a magic key to get into your account. If anyone besides you could get them, they could get into your account and cause all sorts of havoc.

That’s why it’s critical to keep them secure.

Suggestions include:

  • Print the recovery codes out and keep those print-outs in a safe location, such as a personal safe or safety deposit box.
  • Save them digitally to a known and extremely secure location.
  • Save them digitally, encrypting the file(s) with tools like AxCrypt, 7-zip, BoxCryptor or others, and then back them up appropriately.

Needless to say, it’s the last one that I do. They’re encrypted and backed up in such a way that I should be able to recover them no matter where I am – even when traveling1.

But as it turns out, that’s not even the biggest issue.

Keeping two-factor authentication recovery codes … at all!

Unfortunately, too many people apparently fail to save the recovery codes at all. Or they forget where the codes are kept.

You can probably guess what happens when they lose their second factor: they lose their account. Completely, permanently, and without recourse.

Now, to be fair, I have to add that permanent loss is only a risk “in many cases”. There may be alternative authentication mechanisms that banks and other institutions employ to confirm you are who you say you are. I suspect, and even hope, that they’re quite a hassle (if they were easy, hackers could employ them). But when it comes to that free email account? Lost and gone forever.

People forget their passwords all the time. I’ve done it myself2. The typical admonition is simple: don’t do that. Remember your passwords!

When you add a second authentication factor, the advice is, so to speak, doubled: don’t lose the recovery codes. Keep them secure, and remember where you kept ’em.

Do that, and you’ll have all the security of two-factor authentication, without inadvertently locking yourself out should you lose your phone,  fob, USB device, or other second factor.

Podcast audio

Play

Footnotes & references

1: In theory. In complete honesty, I’ve never had to test this scenario, and I hope I never have to. 🙂

2: Not for any important account, mind you. Typically it happens when I return to an account I’d set up years earlier and forgotten about – clearly not important.

8 comments on “The Easily-avoidable Risk of Two-factor Authentication”

  1. How do I set up 2-factor authentication? You described the problems and possibilities of recovering the lost 2nd factor but don’t tell how to set up the system to begin with.

  2. Recovery codes are good, but the belt and suspenders choice is to use Authy.
    https://www.authy.com/

    I’ve never worried too much about losing my phone, but resetting it is a huge pain because I have so many accounts with two-factor authentication. Now, because of Authy, resets are simple and straightforward. And if, by some bizarre chance, I should lose my phone and my computer should crash–without a backup–all in the same day, I’ll still be okay.

  3. Leo, here is my problem with Gmail 2-step authentication. I have used it off and on, but always end up doing away with it. Here is the reason: no matter how many times I check the box that says “Do not ask for codes on this computer”, it asks me every single time, and I simply get sick of that. Can you help me solve that issue? If so, I will be happy to do the 2-step with Gmail again. Many thanks!

  4. There is a brilliant place to hide computer passwords: Inside the case of the desktop computer. A laptop could have the passwords inside the battery compartment. If you are totally paranoid, you could add a character or two to the front and/or back of the passwords, as long as you remember what you did, so the passwords won’t work even for a determined thief.

  5. I wish more websites would allow you to provide a landline phone number to receive a voice message with the security code for those who don’t check their emails wherever they go. No need to worry about losing a landline phone, plus it seems more secure than a mobile phone. Is there any particular reason why some websites, such as Yahoo email, insist that only a mobile phone number be provided for 2-factor authentication?

    • So I researched Yahoo’s 2FA, and they support voice. I added my land line, and got a call. Then logging in to an in-private browser session I got a number of options for the seceond factor including my landline, mobile (text or call on either), as well as email to an alternate email address. Here’s pic of all my options:

      So even though it asks for a mobile number, I’m thinking you have many more options than just that.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.