Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

21 comments on “The Easy-to-Avoid Two-Factor Loss Risk”

  1. How do I set up 2-factor authentication? You described the problems and possibilities of recovering the lost 2nd factor but don’t tell how to set up the system to begin with.

  2. Recovery codes are good, but the belt and suspenders choice is to use Authy.

    I’ve never worried too much about losing my phone, but resetting it is a huge pain because I have so many accounts with two-factor authentication. Now, because of Authy, resets are simple and straightforward. And if, by some bizarre chance, I should lose my phone and my computer should crash–without a backup–all in the same day, I’ll still be okay.

  3. Leo, here is my problem with Gmail 2-step authentication. I have used it off and on, but always end up doing away with it. Here is the reason: no matter how many times I check the box that says “Do not ask for codes on this computer”, it asks me every single time, and I simply get sick of that. Can you help me solve that issue? If so, I will be happy to do the 2-step with Gmail again. Many thanks!

  4. There is a brilliant place to hide computer passwords: Inside the case of the desktop computer. A laptop could have the passwords inside the battery compartment. If you are totally paranoid, you could add a character or two to the front and/or back of the passwords, as long as you remember what you did, so the passwords won’t work even for a determined thief.

  5. I wish more websites would allow you to provide a landline phone number to receive a voice message with the security code for those who don’t check their emails wherever they go. No need to worry about losing a landline phone, plus it seems more secure than a mobile phone. Is there any particular reason why some websites, such as Yahoo email, insist that only a mobile phone number be provided for 2-factor authentication?

    • So I researched Yahoo’s 2FA, and they support voice. I added my land line, and got a call. Then logging in to an in-private browser session I got a number of options for the seceond factor including my landline, mobile (text or call on either), as well as email to an alternate email address. Here’s pic of all my options:

      So even though it asks for a mobile number, I’m thinking you have many more options than just that.

  6. In all my years of establishing online accounts with various small and large financial institutions, I don’t recall ever receiving recovery codes or one-time passwords as part of the process of setting up Two-Factor Authentication. It would be great if I did because my big worry is that, as this article mentions, the second factor could be lost, stolen, or broken. And if that happens, then what?

    I sure hope Leo was exaggerating a bit about the risk of “losing access to that important account … forever.” What if that 2FA account held a substantial chunk of change?!

    I better check with my financial institutions to see whether they had offered any recovery methods for 2FA accounts. Hopefully, it wasn’t an oversight on my part – and hopefully they have recovery methods now.

    • Banks, businesses, and financial institutions will always have another way to get you access. For example if I lost access to my online banking, I walk in to the bank where they vet me and restore access.

      It’s free accounts with no customer support (Gmail, Facebook, etc.) that are most often “lost forever”. Generally people that take the time to set up two-factor generally do all the other things right (like recovery addresses) so they rarely lose things.

  7. I keep a copy of my recovery codes encrypted in my one drive folder. That way, I have it always available on all my computers, Android & iOS devices and the Web. I use zip encryption so I can decrypt the codes when I download them from the Web on a work or friend’s computer.

    • I used to have fingerprint recognition on my Lenovo laptop until last week when the driver became incompatible with the latest Windows update. I contacted service and got a completely wrong solution and when I went to the forum, Lenovo customer service said they didn’t plan to update the driver. Bottom line, don’t rely on a fingerprint as your only method of logging in. You should always have a backup method. The computer is only two years old. Last Lenovo I’ll ever buy. Losing the fingerprint reader is a minor inconvenience, but I can’t deal with incompetent tech support.

  8. Hi Leo:
    I use 2FA on many accounts that use it. My recently purchased iPhone intermittently would not connect to the VZW network, so Apple sent me a new one for free. I reloaded it from iCloud. My 2FA link to GoDaddy was there, but the link to 2FA for Splashtop was not there. The Splashtop 2FA link was for an additional user on Splashtop, so it wasn’t my regular email address, which compounded my recovery. I followed their instructions to re-install 2FA, but it didn’t work. They’re not taking calls due to Covid, so I had to email them. Three days later, I hadn’t received a return correspondence or callback, so I emailed them again. Another couple of days, I finally received an email with instructions to re-install my 2FA link. I was able to re-install 2FA, but what if I had needed access sooner? Yes, I realize that I should have kept my recovery codes, but I didn’t. This made me think, do I have to store all my various recovery codes on my computer (or in a filing cabinet)? I regained access and I turned OFF 2FA for this account. They still use a one-time email authorization if my signon is used from a new computer, so I will have to live with that. I have over 50 passwords to maintain, so I started a NOTE on my iPhone and one my Computer with all my signons and passwords (all strong p/w’s), all coded with abbreviations (i.e. one password starts with “H” so my hint is “H.”) So I downloaded an app to store passwords, then I thought “Where are they in the cloud?” “Who has access to them besides me?” It’s a difficult decision, but each of us will need to decide which one works best. Yes, I know, don’t lose the recovery codes.

    • Try using a password app to manage all of your various password, PINs, and codes? It’s much simpler and safe (e.g., Dashlane, LastPass, 1Password).

  9. I’ve always been leery of setting up 2FA, but now after reading this article, I an definitely going to avoid it whenever possible, and if it is not possible I will find an alternative service.

    The deciding factor was “they lose their account. It’s gone, completely, permanently, and without recourse.”

    I do not want to live my life with a loaded, cocked gun pointed at my head. One day it will go off. Definitely. And when that happens, I really would like some recourse.

    Until that recourse is available, it’s not for me.

    • You’re in more danger of that without 2FA than with it. As you sit without 2FA you are MORE likely to get hacked and have your account “gone, completely, permanently, and without recourse.”

      And as the article goes discusses, preventing that “gone, completely, permanently, and without recourse” with 2FA is almost trivially easy.

  10. Hello,

    I have read most of Leo’s memo’s and find them informative and accurate. I have been a supporter of “Ask Leo” for 15 years. I am a retired person with IT knowledge and have found that Leo offers straight forward advice without hoops or twists to jump through. User’s can always ask questions but just how many questions can one ask before they see the light? I will continue to support Leo and his efforts to help we user’s. Continue on my friend.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.