Two-factor feels like it’s more complicated. But is it?
You should use two-factor authentication.
Seriously, if forgetting your passwords is what you worry about, you should still use two-factor authentication.
Here’s the deal: the two aren’t related.
Become a Patron of Ask Leo! and go ad-free!
Passwords & Two-factor
Passwords and two-factor authentication are separate from one another and don’t add additional risk to one another. More important is that you set your account recovery information and keep it up-to-date so that if there’s a problem with either — two-factor or your password — you’ll be able to regain access to the account and address the problem.
Passwords are separate from two-factor
With or without two-factor authentication, you need to remember your passwords.
Two-factor doesn’t make that any worse or make that any better. If you don’t know your password — your “first” factor, if you will — you won’t be able to sign in. You’ll need to perform an account recovery and set a new password.
That’s unrelated to two-factor authentication.
A more related concern might be forgetting your passwords because you use a password vault. That happens, and it’s OK. I couldn’t tell you my banking password if I needed to. My password vault — LastPass — remembers it for me. I usually let LastPass enter it for me, but if I ever want to see it, I can examine it in my LastPass vault.
So if forgetting your passwords is your main concern, consider using a password vault. Bonus: it’ll let you use stronger passwords, and easily use different passwords across all your sign-ins.
Two-factor is separate from passwords
The more common question about two-factor authentication is what happens if you lose your second factor. For example, perhaps you lose the phone running your two-factor app or the phone that receives the SMS messages used in two-factor authentication.
The answer here is very much the same as that for forgetting your password: you’ll need to perform an account recovery, probably setting a new password, but then either disabling two-factor or associating a different two-factor authentication method.
But that common solution — performing an account recovery — exposes the common weakness. Fortunately, it’s a weakness that’s easily addressed. Unfortunately, many people don’t address it.
Make sure recovery will work
In both of these scenarios, the solution to forgetting or losing is recovery — specifically, using the “I forgot my password” recovery process offered by the service you’re attempting to sign in to.
As long as all those are in place, up-to-date, and working, there’s no problem. There’s the inconvenience of a few additional steps, but you can get your account access back quickly.
The problem is that many people either don’t set them up or don’t keep them up to date. The recovery email goes to an email address they no longer have access to. The recovery code goes to a phone number they stopped using long ago. They never saved backup codes, or forgot where they put them.
You get the idea: everything put into place specifically to recover an account doesn’t work.
And when it doesn’t work, the account can’t be recovered. It’s lost. Forever.
The three things you need to do
Managing an account is important. For the best security, you must take responsibility for doing three things:
- Use unique, strong passwords for every site.
- Use two-factor authentication whenever offered.
- Above all: keep your recovery information active and up to date.
Forget that last one, and you might very well lose your account — with or without two-factor authentication.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!