What happens when your accounts are so secure that even you can’t get in?
The scenario is this: you’re traveling far away from home. For some reason — perhaps theft or some other disaster — you lose everything. And by everything, I mean absolutely everything: your technology, your wallet, your identification… everything but the clothes on your back.
How do you sign in? How do you regain access to your oh-so-well-secured online accounts?
Preparation is key.
Become a Patron of Ask Leo! and go ad-free!
Losing everything while traveling
While it’s rare, if you lose everything while traveling, including access to your phone and passwords, regaining access to online accounts can be challenging. Preparation is key: memorize key phone numbers, consider secure backups like an encrypted file you can still access, or use other methods that require only your knowledge to access.
The problems we might encounter
These are some of the difficult-to-solve issues you might encounter if you lose everything when you’re away from home.
- You don’t remember your passwords because you don’t have access to your password manager (or the slip of paper on which you keep your passwords).
- You can’t respond to a two-factor authentication request because you’ve lost your second factor.
- You can’t perform an account recovery because you don’t have access to your phone (for an SMS confirmation) or an alternate email account.
It feels like a vicious circle because it is. For any account you want to get into, you need something else you can’t access because it’s lost or you don’t have a way to receive recovery info.
Before we panic
I want to be clear: this is not something that happens often.
In particular, this is not a reason to drop your security across the board. For example, you should not decide that your accounts should have memorable passwords without two-factor authentication. Yes, this would solve the travel problem, but it would put you at a much higher risk of a much more likely account compromise.
I hear objections to increased security because of variations of the scenario we’re talking about, and that’s not called for. Most of us are never at this level of risk.
Though I’ll admit: if you truly are in such a dire situation, things get complicated.
Who are you again?
Regaining access to your online life is only one part of a much larger problem. If you’ve lost everything, then you’ve lost any way to independently prove you are who you say you are.
This would apply, for example, to recovering your passport, driver’s license, or other forms of identification. These scenarios all suffer from the same problem as your online accounts: proving your identity.
My assumption (and hope) is that agencies have alternate ways to confirm your identity. It could be their record of your most recent passport photo, a fingerprint, information you can provide from memory, or who knows what else.
Remember one phone number
The most basic solution is to remember exactly one phone number: a person to whom you’ve entrusted your information in the case of your disability or death. In theory, they could sign into, say, your password manager. Then they could help get you into the email account you use for account recovery, at which point you’d be able to recover the rest on your own.
They might receive two-factor codes and relay them to you, or perhaps locate devices of yours that are already signed into the account you care about — a common form of authentication of late.
And, of course, this person’s email address (or cell phone number) could be your alternate or account recovery information; recovery codes would go directly to them, at which point they could relay them to you over the phone.
Replace your phone
If you’re in an area where your mobile provider has a retail or other service presence, visit or get in touch with them right away.
First, disable your lost or stolen phone, but more importantly, replace it, making sure you keep the same phone number. Once the phone number has been activated on your replacement phone, you’ll receive SMS-based two-factor and recovery codes directly.
The phone company will have the same problem as we encountered with your other ID: they’ll need to confirm you are who you say you are. If you’ve replaced your driver’s license or passport or whatever, this might be easy, of course. But if you truly have nothing, this could be a painful experience.
Your secret cache
This idea is debatable, I’ll admit, and perhaps a little complex, but it could be “secure enough”.
- Create a text file with information you would need to regain access to some important accounts. In theory, this could be information about your password manager or information for your primary recovery account.
- Encrypt that file. Use commonly available tools, like ZIP, to place a strong password on this file. The key here is that the password is something you remember and is known only to you.
- Place that file in an obscure yet publicly visible online service whose location you can easily remember.
And, yes, for those who saw it, this is in part “security by obscurity”, something that is often looked down on.
Since I have a website, I could bury such a file in several layers of obscurely named folders. All I would need to remember is those folder names and the password to this recovery file.
If you don’t have a website, you can use a file-sharing service. You’ll need to remember this URL, so it’s important that this file-sharing service doesn’t obfuscate the URLs to the files. This tends to leave out services like OneDrive or Dropbox, since their URLs are anything but simple and easy to remember (though you could create a more memorable URL, perhaps, using a URL-shortening service).
When the time comes, you navigate to this URL, retrieve your secret file, decrypt it, and use the information therein to recover access to your online account(s).
Do this
I will reiterate that this is a scenario most of us need not be concerned about. Rarely does someone lose absolutely everything and land in this situation.
But if you do travel extensively, it’s something to keep in mind.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
How about you?
If you’ve got a nifty way to handle this situation, I (and others) would love to hear about it. Leave a comment below. Thanks!
All this can happen in other scenarios, which sadly, may occur more often than traveling.
Family members went to work one morning, then a wild fire came through town and decimated many homes in just a few hours.
At the end of the day, they literally only had what they wore and the other detritus one takes to work, which thankfully was their phones, their wallets, and some forms of I.D.
Their home and all the contents were just a pile of ash.
But they were lucky, many others were killed.
They could not return for many days.
This can happen anywhere to anyone, please take note of the ideas expressed in this article.
Thank you Leo.
Losing everything in a fire is much worse than losing everything wile traveling, but the data recovery after that would be somewhat different. In your city, you can walk into your bank and sort out your credit and debit cards. You can go to the DMV and work out your identification. The same with phones and Internet.
One way to keep from losing your logins is to use a password manager. They allow you to have an encrypted version on their servers which you can access online. Unfortunately, sites that use two factor authentication will require some hoops to jump through.
Is it so unusual to lose one’s phone and wallet when travelling? This is exactly what thieves/pickpockets are targetting.
And yet we’re pressured into relying on our phones for everything and having them be the key to our identity.
Yes, you should have recovery codes as well but very few services actually provide, publicize, much less require these at the time they push 2 factor authentification on you.
When traveling, how about a USB stick with password encryption to open contents? Stash in an uninteresting place [dirty laundry bag, etc.]. All that you would need would be there. Last I looked into that years ago, it was not possible to acquire. Your take please…. a Supporter.