No need to worry about losing your second factor if you do this first.
I’m a big believer in using two-factor authentication for online accounts.
Two-factor authentication (often referred to as multi-factor authentication, 2FA, or MFA) adds the requirement of “something you have” to “something you know” to log in to an online service.
The risk is that “something you have” could turn into “something you’ve lost”. If you need it and don’t have it, you might not be able to sign in.
The solution? Preparation.
Become a Patron of Ask Leo! and go ad-free!
Two-factor authentication adds “something you have” (like a key fob, app, or mobile number) to “something you know” (your password) to allow you to sign in. You could lose your second factor, so it’s important to set up the recovery options offered by the online service to be able to get back in without it. Keeping the recovery options safe, secure, and up-to-date allows you to safely rely on the additional security of two-factor authentication while knowing you have a way back in should something happen.
Two-factor and “something you have”
You’re already familiar with “something you know” — that’s a password.
Something you have might be a mobile phone capable of receiving a text message, an authenticator app on a mobile device, a dedicated key fob, or even a specialized USB device. Two-factor authentication simply means that you must provide not only a password but proof that you possess a second factor. If you don’t, you can’t sign in, even if you know the password.
Neither can hackers — and that’s the point.
The scenario: losing “something you have”
It’s one of the first questions to come up when I talk about two-factor authentication: what happens if I lose my second factor?
It’s a valid concern.
In my case, for example, I have several accounts requiring my mobile phone in order to sign in. I can’t tell you the number of times I’ve attempted to log in on my family-room laptop1 only to have to go back to my office and get my phone.
What if I didn’t have my phone, or it was broken?
What if I were traveling and I lost my phone?
This scenario is something two-factor authentication designers realized would be an issue from the beginning. The result? Recovery codes.
Two-factor recovery codes
When you set up two-factor authentication, you’re also provided with, or prompted to create, recovery information. They typically include options such as:
- Recovery codes: complex codes you can use to sign in without the second factor present.
- One-time passwords: one or more passwords you can use exactly once each to sign in without the second factor present.
In addition, mechanisms you’ve already put in place to recover your account, such as an alternate email address or mobile phone number, are sometimes also used in lieu of two-factor authentication should you lose that “something you have”. In a sense, your ability to get messages at that alternate email address or mobile number is also a type of second factor.
Once signed in successfully, the idea is you would then re-establish two-factor authentication with a new replacement device, or turn 2FA off completely until you can.
But wait … log in without the second factor? Doesn’t that negate the security offered by two-factor authentication?
Not at all.
Keeping recovery codes secure
Remember, you only need recovery codes if you lose your second factor. The rest of the time, they’re completely unnecessary.
I have yet to need one of my recovery codes.
The issue, of course, is these recovery codes are like a magic key to get into your account. If anyone besides you could get them, they could get into your account.
That’s why it’s critical to keep them secure.
- Print the codes and keep the print-outs in a safe location, such as a personal safe or safety deposit box.
- Save them digitally to a known and extremely secure location, like your password vault.
- Save them digitally, encrypting the file(s) with tools like 7-zip, BoxCryptor, or others, and then back them up appropriately.
Needless to say, I use the last option. My recovery codes are encrypted and backed up in such a way that I would be able to recover them no matter where I am — even when traveling.2
Similarly, keeping your other account recovery information accessible and up-to-date is critical as well. You’ll need it if you ever need to regain access to your account, including possibly because you don’t have your second factor available.
But as it turns out, keeping recovery information secure and/or up to date isn’t even the biggest issue.
Keeping recovery codes … at all!
Too many people fail to save the recovery codes at all. Or they forget where they put them. Or they let their alternate email address fall out of use. Or they got a new mobile number and don’t update it in their recovery information.
You can guess what happens when they lose their second factor without any way to recover: they lose their account. It’s gone, completely, permanently, and without recourse.
When you add a second authentication factor, the advice is simple: don’t lose the recovery codes. Keep them secure, and remember where you kept ’em. And of course, keep your other account recovery information up to date as well.
Do that, and you’ll have all the security of two-factor authentication without inadvertently locking yourself out should you lose your phone, fob, USB device, or other second factor.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!