Ask LH: What Happens If I Use Two-Factor Authentication And Lose My Phone?

8 years ago

June 2, 2016 at 1:30 pm

Ask LH: What Happens If I Use Two-Factor Authentication And Lose My Phone?

Dear Lifehacker, My work wants me to enable two-factor authentication on my phone, but it seems risky. What happens if I lose my phone? Will I lose my entire account? And if I change phones, how do I move the authenticator to a new device? Thanks, Two-Factor Security Concerns

Photo by Dan Taylor

Dear 2FSC,

Two-factor authentication is an essential security measure that uses your phone to help prevent unauthorised access to your account. You’re right that it makes it harder to access your account if you lose your phone, but that’s also sort of the point.

Two-factor authentication, by its very nature, is designed to prevent access to your accounts if you don’t have access to your phone. Therefore, there aren’t many ways to circumvent this requirement after the fact. There are many ways to prevent this problem from happening, however. So don’t wait until you lose your phone to set them up. (If you’re currently locked out, you can skip ahead to the last section.)

The Obvious: Change Your Authenticator Device In Your Account Settings

If you know you’re changing phones, it’s usually very easy to change which device you use for authentication — you just need to make sure you do it before you sell your old phone. If you use SMS, changing phones shouldn’t matter. Simply activate your new phone and the codes will come to your phone number. If you use an authenticator app, though (we recommend Authy below), you can swap phones in your account settings.

For easy access, here are a few links to where you can change your two-factor settings if you already have it enabled for some common services. Note, these links will probably only work if you’re logged in to your account.

Google
Dropbox
Evernote
Twitter
Facebook
LastPass: Open LastPass on the web, click Settings > Multifactor Options

The process differs from service to service, but the basic principle is the same. You’ll install an app on your new device, scan a barcode or enter a code from the web site in question, and confirm that you’re in possession of the device. In most cases, old authenticators will stop working, so make sure you’re sure before you swap.

Write Down Your One-Use Backup Codes

Many two-factor services will give you a set of codes that can only be used to access your account once. After each code is used, it’s gone. Most of the time you can access these in the same place where you change your two-factor authentication settings to begin with.

You’ve probably heard that you shouldn’t write down your password (and you can’t write down regular authentication codes), but these one-use codes are an exception. You should definitely print them or write them down and keep them in a place where you can find them. Ideally, they would be separate from your phone, perhaps in a fireproof box or safe with other important paper documents.

Unlike your authenticator codes, these one-use codes don’t change. Most sites will also tell you when they have been used, or at least mark them off of the usable code lists. For example, Google offers ten backup codes. When you use one, the list of codes drops from ten to nine (they aren’t replenished immediately), and you get an email saying that the code has been used. This means that even if someone finds your backup codes and uses them to access your account, it would be difficult for them to do so undetected.

Enable Authy’s Synced Authentication Tokens

One-use codes are OK for emergencies, but if you’re looking for a more convenient method (or switch devices often), you can sync your tokens to other devices — like a tablet or a laptop — with a third-party authenticator. As we’ve discussed previously, Authy is a great app for managing your two-factor accounts on the iPhone, Android, and even your computer. Not only does this give you a “backup” device in case you lose your phone, but it also makes it very easy to migrate your tokens from one device to another (say, if you’re getting a new phone). Just sync the new device and deauthorise the old one.

In order to set up synced tokens on your devices, you’ll need to first setup Authy as your primary two-factor manager. If you’re currently using Google Authenticator or another app to get your codes, you’ll need to go to the settings links in the first section and set up Authy as if it were a new device. Then, follow these steps to enable access from a second device:

Open Settings in Authy on your primary device and tap Devices.
Enable “Allow multi-device.”
On your second device, install Authy.
When you first open the app, it will prompt you for a phone number. Enter the phone number of your primary device.
In the popup that says “Get Account Verification Via”, tap “Use Existing Device.”
On your primary device you will get a notification that asks you to verify the addition of a new device. Tap “Accept.”
Type “OK” in the box prompting you to ensure you approve of this decision.
Go back to Settings on your primary device and tap “Devices” again.
Disable “Allow multi-device.” This prevents any additional devices from being added, while your existing connected devices stay active.

When you’re done, you’ll have a second device connected to any two-factor services you add to Authy. It’s also a good idea to enable a PIN code for all of the devices you’ve connected to Authy (you’ll need to do this for every device individually in Settings). That way, even if someone gets access, it’s harder for them to see your codes.

For those concerned about the security of this method: all of your authentication tokens are encrypted locally (using a complex password, not the four-digit PIN that protects the app itself), so neither Authy’s servers, nor any snooping third-party along the way should be able to access the tokens. So, unless your adversary is capable of three trillion guesses per second, most average users should be ok to sync tokens. If you’re wary of using Authy to sync codes, stick to the one-use backup codes in the section above. Though, even if you don’t use the sync feature, Authy is still worthwhile as it offers PIN protection of your codes, while Google’s Authenticator app does not.

Get A Replacement Phone For Backup SMS Codes

While some authentication methods require an app, nearly all at least offer the use of an SMS code as a backup option. It’s not the most timely solution, but if you lose your phone, getting a backup device will allow you to send text messages to the phone number attached to your account. Once you have a replacement phone, try to log in to your account and select the option that says something to the effect of “Problems with your code?” Typically there will be an option to send a backup code to your phone number.

Obviously, if you haven’t set up a phone number attached to your account, you should do so now. Even if you prefer to use authenticator apps instead of SMS, it’s important to have the backup option. Some sites will allow you to add multiple backup phone numbers, so if you have a trusted spouse, friend, or even a secondary Google Voice number, you could add that as well.

What To Do If You Get Locked Out (And Haven’t Prepared)

Most companies are aware that their customers won’t always put best practices into place. While you have several ways to prepare for the worst, stuff happens. Your phone fell down a well, you lost your sticky note with the backup codes, and today just happened to be the day your Google account asked you to re-verify. Bad luck.

You can sometimes still call the company that runs the service you’re trying to access. The bad news is, this can often take several business days to fix, assuming the company can do it. Other companies (notably Evernote) will tell you that if the backup options fail, they are unable to provide you with access to your account. This is why it’s important to stay on top of your backup options. However, in the event the worst happens, here are some links with information on how (or if) you can get access to your account back for various services:

Changing to a new phone should be fairly easy as long as you’re prepared for the process. If you’ve lost your phone, that’s a bit harder, however most problems can be solved with a level of preparation. Two-factor authentication means making it harder to access your account on purpose, so don’t just enable it and walk away. Be sure to give yourself options in case the worst happens.

Cheers
Lifehacker

Got your own question you want to put to Lifehacker? Send it using our [contact text=”contact form”].

Comments

2 responses to “Ask LH: What Happens If I Use Two-Factor Authentication And Lose My Phone?”

READ THE COMMENTS

aynema

May 2, 2016

I’ve had this happen and one thing I recommend if the service supports it is to have two mobile numbers attached to the account.
I’ve generally got all my services set to email my primary Google Apps account with recovery details if I need them and then my Google Apps account has both mine & my Partners mobiles.

Basically if I loose my phone so I can’t get SMS or my 2 Factor authentication tokens then I can at least get access to my Google Apps account via my Partners mobile and from there recover access to other services.

Worst case scenario though is both of us loose our phones at the same time. I’ll just have to wait until Telstra can provide me with a new SIM for my number and then go from there.

I recommend whole hardheartedly though to enable 2-Factor Auth on any service that supports it. It makes logging in a little more cumbersome but it’s worth it for the increased security given the ease of password ‘theft’ It’s extremely easy these days to be fooled into entering your login details because you don’t know better or a lapse in judgement.
Plus how many people use the same password for everything, I’m an IT Consultant and even I use only a couple of passwords for things. ie General use one, Google Apps one and bank one but if your going to do that make it as long as possible to decrease brute force effectiveness.
cryptonemesis

June 3, 2016

Some options:
1. Print out the QR code used to set up two-step verification and keep it in a safe.
2. Do a PrtScn of the QR code used to set up two-step verification, encrypt using 7-zip (and a secure passphrase) and store on a thumb-drive that is not attached to an Internet-connected device.
3. Scan the QR code used to set up two-step verification with both your own device and a trusted partner/friend (they won’t be able to sign in to your account without your password as well)
4. Use Google Authenticator on your desktop (got this idea from here: http://www.labnol.org/internet/google-authenticator-for-desktop/25341/)
5. My personal favourite—use a YubiKey NEO to store OATH credentials and use Yubico Authenticator for Desktop and/or Yubico Authenticator for Android to produce TOTP.

The Best Gadgets to Turn Your Regular Kitchen Into a Smart One

11 Games (That Aren’t Fallout) To Play After Watching Fallout

The Unbreakable Rules of Sharing a Fence With Your Neighbour

This Mini PC Is a Cute, Surprisingly Powerful Love Letter to Retro Computing

My Favorite Productivity Advice From Books (so You Don’t Have to Read Them All)

The Best Mobile Plans to Keep Your Phone Bill Under $30

Here Are Amazon Australia’s Best Deals of the Week

Here Are the Fastest Internet Providers and NBN Plans in Australia

19 Sustainable Mother’s Day Gifts That’ll Show Some Love to Your Mum and the Planet

Save up to $300 on Optus’ Biggest SIM-Only Plan Bundle