5

I love the idea of 2 factor authentication but how can I make sure I'm not caught in the wind without such keys? I thought about switching to a fob for services that support it. Is there a fob that I can trust that provides a tiny display for keys? (like Google or Authy but without a phone)

I ask this because I stupidly reset my phone without triple checking there wasn't anything left to recover in order to fix software issues I had. I totally forgot I had set "Multi-device" to disabled in Authy and now I have to wait for them to reset my access. I want to try to make it hard for me to accidentally lose 2 factor auth access.

schroeder
  • 123,438
  • 55
  • 284
  • 319
RansuDoragon
  • 105
  • 6

2 Answers2

5

When you use Google Authenticator, you can scan the code into multiple devices (iOS or Android). That way, loss of a single device won't lock you out, because you can always fall back to the original. Personally I store them on a old Android phone I no longer use.

All services 'should' allow you to register more than one yubikey per account, specifically for this reason. You should always have a spare yubikey when you use them as your 2FA device, otherwise you're forced into a tedious account recovery process when you lose them.

You're right to be worried about losing access to your account the moment you lose your second factor. But you should have multiple devices that store your second factor physically to avoid such a scenario.

As a separate answer mentions, I forgot about the recovery codes. These are special 2FA codes that are not time dependent and can be used in case of loss of a device. These codes are generally to be printed out physically, or stored somewhere else -- do not lose them!

keithRozario
  • 3,571
  • 2
  • 12
  • 24
  • `All services 'should' allow you to register more than one yubikey per account, specifically for this reason. You should always have a spare yubikey when you use them as your 2FA device, otherwise you're forced into a tedious account recovery process when you lose them.` @keithRozario Having multiple yubikeys just in case I lose one puts me at risk of someone getting a hold of one of my yubikeys right? – RansuDoragon Jan 21 '19 at 11:05
3

For those services that allow you to use an app such as Google authenticator, there is usually an option to enter the displayed alphanumeric code manually rather than scanning the QR code. If you make a record of this code and store it securely you can enrol a new device using that code.

I've been caught out with the phone change issue before when I've forgotten to temporarily disable 2fa before wiping the old phone, and have tested the manual enrolment process for Google authenticator and it has so far worked well. I've stored the manual recovery code in my password vault (I know there are pros and cons to this, it's worth considering the risk of this before you follow my practice).

Some services also publish recovery codes (Google does, and GitHub for example) and it is worth recording these securely as well just in case there is a 2fa issue.

Finally, some services (including Google and MicroSoft 365) permit the use of a texted SMS OTP if there is an issue with using 2fa, and it is worth recording your phone number with these services where possible (there is a risk of SIM cloning or unauthorised replacement of course, but this is probably smaller than the likelihood of loosing access to the 2fa tokens - your mileage may vary so consider your own likely risks either way).

Like any authentication management process, the use of 2fa needs planning at the time of enrolment: what recovery options are available, what is my process for decommissioning a lost/deleted/compromised authentication token (including access to any app)? Keep a separate register of services and recovery options and prepare for the worst!

It's too late after losing an authentication token - the way back to a normal login process is often very painful and slow.

David Scholefield
  • 1,824
  • 12
  • 21