Two-factor feels like it’s more complicated. But is it?
You should use two-factor authentication.
Seriously, if forgetting your passwords is what you worry about, you should still use two-factor authentication.
Here’s the deal: the two aren’t related.
Become a Patron of Ask Leo! and go ad-free!
Passwords & Two-factor
Passwords and two-factor authentication are separate from one another and don’t add additional risk to one another. More important is that you set your account recovery information and keep it up-to-date so that if there’s a problem with either — two-factor or your password — you’ll be able to regain access to the account and address the problem.
Passwords are separate from two-factor
With or without two-factor authentication, you need to remember your passwords.
Two-factor doesn’t make that any worse or make that any better. If you don’t know your password — your “first” factor, if you will — you won’t be able to sign in. You’ll need to perform an account recovery and set a new password.
That’s unrelated to two-factor authentication.
A more related concern might be forgetting your passwords because you use a password vault. That happens, and it’s OK. I couldn’t tell you my banking password if I needed to. My password vault — LastPass — remembers it for me. I usually let LastPass enter it for me, but if I ever want to see it, I can examine it in my LastPass vault.
So if forgetting your passwords is your main concern, consider using a password vault. Bonus: it’ll let you use stronger passwords, and easily use different passwords across all your sign-ins.
Two-factor is separate from passwords
The more common question about two-factor authentication is what happens if you lose your second factor. For example, perhaps you lose the phone running your two-factor app or the phone that receives the SMS messages used in two-factor authentication.
The answer here is very much the same as that for forgetting your password: you’ll need to perform an account recovery, probably setting a new password, but then either disabling two-factor or associating a different two-factor authentication method.
But that common solution — performing an account recovery — exposes the common weakness. Fortunately, it’s a weakness that’s easily addressed. Unfortunately, many people don’t address it.
Make sure recovery will work
In both of these scenarios, the solution to forgetting or losing is recovery — specifically, using the “I forgot my password” recovery process offered by the service you’re attempting to sign in to.
That process typically involves sending an email to an alternate email address, or a recovery code to a specific phone number, or using a backup code, or something else.
As long as all those are in place, up-to-date, and working, there’s no problem. There’s the inconvenience of a few additional steps, but you can get your account access back quickly.
The problem is that many people either don’t set them up or don’t keep them up to date. The recovery email goes to an email address they no longer have access to. The recovery code goes to a phone number they stopped using long ago. They never saved backup codes, or forgot where they put them.
You get the idea: everything put into place specifically to recover an account doesn’t work.
And when it doesn’t work, the account can’t be recovered. It’s lost. Forever.
The three things you need to do
Managing an account is important. For the best security, you must take responsibility for doing three things:
- Use unique, strong passwords for every site.
- Use two-factor authentication whenever offered.
- Above all: keep your recovery information active and up to date.
Forget that last one, and you might very well lose your account — with or without two-factor authentication.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Related Video
One way to prevent being locked out of your account is to have more than one second factor. Most allow you to have (an) email address(es) and a phone number associated as a second factor. I have 3 or 4 email addresses associated with all of my logins as a second factor.
My Bank of America online banking app and web logins have 3 factor authentication.
1. The password
2. An SMS or email.
3. I have to enter my ATM pin
Another thing that I’ve found handy is not to scan the 2FA barcode with the Authenticator App but rather write down the Key in a notebook you store at home. I then manually put the key in to test before doing the 2FA test to know that I got it right so that I know that key can help me activate it again should I lose my device.
Screenshotting the barcode is another approach and then saving that in a secure location. (This is how I enable two-factor when I need to share the account with someone.)
I have lost several accounts because the site changed their requirement for 2FA(optional or required) without notification. I have lost one account because I don’t have the required smart phone to get into their site. I have lost several accounts because I no longer have the telephone number required which I found out the hard way.
Sure I could start over with these sites probably. But do they really want me in their site? I think not or they would try harder to keep me. They can do very nicely without me. Google will help me find an alternative.
Good riddance to them. Lots a luck.
This is on you, I’m afraid. Aside from the change without notice (which is extremely bad practice, I agree), you MUST keep your alternate account recovery information up to date. It sounds like these services were, in fact, doing security right.