Proving you’re you without your second factor.
First my laptop, now my phone.
I went to take a photo of my dogs and apparently it was cuteness overload for my Google Pixel 4 XL, because it just shut down the moment I tapped the button.
I forced a reboot and took another photo, which worked. A few seconds later, while viewing the photo, the screen went crazy and the phone started squealing. I forced it off again. It came back one more time, worked for a bit, and then shut down one last time. All further attempts to revive it were unsuccessful.
I was now the proud owner of a Google Pixel 4 XL brick.
The biggest problem? The phone was my second factor for all my multi-factor-enabled accounts — and I was traveling. Could I sign in to my important accounts without it?
Become a Patron of Ask Leo! and go ad-free!
Losing my second factor
Particularly when traveling, losing your second factor for multi-factor authentication can be a problem. For SMS authentication, simply porting your phone number to a replacement phone works immediately. For Google-Authenticator-style authentication, an app like Authy lets you use multiple devices as your second factor. In all cases, it’s important to keep your account recovery and alternate verification methods up to date and ready before you need them.
I’ve long been a proponent of what’s called “two-factor” authentication. The premise is that in addition to your account ID (often your email address) and password — two things you know — you also need to prove that you also have your second factor in your possession. Mobile phones are a common second factor, using either SMS to receive a code, or a smartphone app to generate a code entered when you sign in.
What it all means is that hackers can’t get in to your account, even if they know your password — they don’t have your second factor.
But now, suddenly, neither did I.
Traveling compounds the issue
Most services using multi-factor authentication allow you to say, “Don’t require two-factor on this device” after signing in once successfully with 2FA. The machine itself is “secure enough” not to require two-factor for every sign in thereafter.
I do this with my desktop computer at home so I don’t need two-factor after the first sign-in.1
My laptop is a different story. Since it’s portable and I’m traveling, I need to protect myself from loss or theft. That means I don’t take that shortcut. I require two-factor each time I sign in to accounts I protect with multi-factor authentication.
Without my phone, the very next account sign-in on my computer or tablet posed a problem: I didn’t have my second factor. I couldn’t prove I had the right to get into those accounts.
Fortunately, services have alternatives you can set up beforehand.
Some services make it easy
Google made it easy to sign in using an alternative. It prompted for my second factor as usual, but when I indicated I couldn’t use that method, it gave me the option to use any of several other second factors.
I simply chose one of the other techniques, and I was in.
Many services not only support this, but actively encourage you to set up additional recovery methods when you enable two-factor authentication.
Here’s the catch: just like your account recovery information, you must set this up before you need it.
Once you do, losing your second factor becomes merely an annoyance.
SMS is easy, but…
The appeal of SMS text messaging for two-factor authentication is that it’s tied to your phone number rather than your device. Replace the phone, port the number to the replacement phone, and SMS continues to work.
That portability is also its weakness, since “SIM swapping” is a social engineering technique where hackers transfer your phone number to their device. Fortunately, it’s still relatively rare, and mobile providers know to look for it. More importantly, SMS two-factor remains better than no two-factor at all.
I considered visiting my mobile provider’s local store, where all of this could have happened within a couple of hours. I elected to wait and have a replacement phone delivered to my home on my return.
The other approach for two-factor authentication that I recommend over SMS is using Google’s Authenticator app on capable devices. Or rather, using apps compatible with Google’s authenticator app.
I use Authy. The situation I found myself in is exactly why.
You can install Authy on multiple devices, and your two-factor codes are available across all of them. You can use any of these devices as your second factor. While I did not have Authy installed on my laptop,2 I had it installed on my iPad, which I also had with me.
If I needed to sign in to any site that used Google Authenticator for a second factor, I just reached for my iPad instead of my phone.
Use two-factor authentication whenever it’s available.
Then set up the recovery mechanisms provided by the service. Not only will this protect you in case you lose your second factor, but it’ll also dramatically increase your ability to regain access to your account should you lose it for any reason.
Use my experience above as an example of what you might set up, just in case.
Then, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Some services require the second factor periodically, such as every 30 days. If you clear cookies, two-factor will be required on the next sign in.
2: A decision I wrestle with. Even though access to Authy is itself protected by a password or PIN code, having it on the same device that might be stolen seems questionable. And yet, I have it on the iPad…