I use Authy too, and I also use it in multiple places, including my laptop and phone.
Indeed, it would be exceptionally inconvenient to log out after every use — so inconvenient I’d have a difficult time using or even recommending two-factor1 authentication. And it’s not just Authy — it’s any of the two-factor authentication “factors”, be it an app, your SMS-receiving phone, a security key, or anything else.
Once someone else has one of them — say if you lose your phone and they gain access to your two-factor app — what does that mean for your security?
Well, it’s serious and perhaps a little painful, but it’s not a disaster.
Become a Patron of Ask Leo! and go ad-free!
- Someone with access to your second factor does not have access to your accounts — they still need your password.
- SMS two-factor: contact your mobile provider and move to a new device.
- For all others: access the account using alternate methods, then remove and re-add two-factor with a new code or device.
Two factors means two factors
The first thing to realize is that two-factor authentication needs two factors to sign in.
Even if hackers have your password, they can’t sign in without your second factor. This is the reason I so strongly recommend two-factor authentication.
But the converse is true as well: if hackers have your second factor, they still can’t sign in without your password.
Both factors are required. If they don’t have both your password and your second factor (whether that’s a device, an app, a code, etc.), your account remains safe.
You still want to take action if you lose your phone, though.
Accounts using SMS-based two-factor
SMS-based (text message) two-factor authentication is the easiest to deal with.
If you lose your mobile phone, reach out to your provider, get a new phone, and transfer your number to the new phone. You’re done. SMS notifications will now arrive on your new device, and not your old, lost one.
If you don’t get a new phone immediately, do contact your provider as soon as possible and disable your lost phone. This prevents whoever has it from getting your SMS messages … or anything else.
It’s conceptually simple, and covers all accounts using SMS two-factor authentication.
For other accounts: first, regain access
For each account you have that uses a device or an app as its second factor, you need to sign in and set a new second factor.
For some accounts, you’ll already be signed in, and can proceed to the next step right away. For others, when you sign in, you’ll be asked for your second factor.
If you use Authy on multiple devices — like Windows and your mobile phone — you can simply sign in using the two-factor code provided by one of the other Authy installations. (This, and the ease of moving to a new phone, is the big benefit I see to using Authy.)
If, however, your second factor is only a single device — such as being on only your mobile phone, or being a single, specific, USB security key — then you no longer have the second factor you need to sign in.
When you set up two-factor authentication, you should also have also set up a recovery mechanism. That may be an alternate email address, an SMS-enabled phone number, a recovery code, or even an additional two-factor device. Use that mechanism to sign into your account. (And if you haven’t set up a recovery mechanism, go do it now.)
Then, reboot two-factor
The goal is to invalidate existing two-factor devices and re-establish a new one.
In most cases, that’s a two-step process: turn off two-factor authentication and then turn it back on again. It’s a kind of reboot.
Turning two-factor off accomplishes the first goal: any pre-existing second-factor devices, codes, or associations are disabled and forgotten. The codes provided by previously configured two-factor applications, like Authy, will no longer work. You also need to delete any entries for the account in authenticator apps you still have access to.
Your account will, for a brief moment, not be protected by two-factor authentication. That’s why the next step is important.
Turning two-factor back on establishes a new code you can use with your two-factor app, or a new relationship with a replacement hardware key. Your account will once again be protected by two-factor authentication.
It’s just like having your password exposed
Having someone else gain access to your second factor is the same as having someone else discover your password.
What do you do when your password is compromised? You change it.
What do you do when your second factor is compromised? You reboot it.
As long as both are not compromised by the same person at the same time, your account remains secure throughout.
Footnotes & References
1: I’ll use “two-factor” throughout this article, but you may encounter terms like “2FA”, “multi-factor”, or others that mean the same thing.