Dear Lifehacker, My work wants me to enable two-factor authentication on my phone, but it seems risky. What happens if I lose my phone? Will I lose my entire account? And if I change phones, how do I move the authenticator to a new device? Thanks, Two-Factor Security Concerns
Photo by Dan Taylor
Two-factor authentication is an essential security measure that uses your phone to help prevent unauthorised access to your account. You're right that it makes it harder to access your account if you lose your phone, but that's also sort of the point.
Two-factor authentication, by its very nature, is designed to prevent access to your accounts if you don't have access to your phone. Therefore, there aren't many ways to circumvent this requirement after the fact. There are many ways to prevent this problem from happening, however. So don't wait until you lose your phone to set them up. (If you're currently locked out, you can skip ahead to the last section.)
The Obvious: Change Your Authenticator Device In Your Account Settings
If you know you're changing phones, it's usually very easy to change which device you use for authentication — you just need to make sure you do it before you sell your old phone. If you use SMS, changing phones shouldn't matter. Simply activate your new phone and the codes will come to your phone number. If you use an authenticator app, though (we recommend Authy below), you can swap phones in your account settings.
For easy access, here are a few links to where you can change your two-factor settings if you already have it enabled for some common services. Note, these links will probably only work if you're logged in to your account.
- LastPass: Open LastPass on the web, click Settings > Multifactor Options
The process differs from service to service, but the basic principle is the same. You'll install an app on your new device, scan a barcode or enter a code from the web site in question, and confirm that you're in possession of the device. In most cases, old authenticators will stop working, so make sure you're sure before you swap.
Write Down Your One-Use Backup Codes
Many two-factor services will give you a set of codes that can only be used to access your account once. After each code is used, it's gone. Most of the time you can access these in the same place where you change your two-factor authentication settings to begin with.
You've probably heard that you shouldn't write down your password (and you can't write down regular authentication codes), but these one-use codes are an exception. You should definitely print them or write them down and keep them in a place where you can find them. Ideally, they would be separate from your phone, perhaps in a fireproof box or safe with other important paper documents.
Unlike your authenticator codes, these one-use codes don't change. Most sites will also tell you when they have been used, or at least mark them off of the usable code lists. For example, Google offers ten backup codes. When you use one, the list of codes drops from ten to nine (they aren't replenished immediately), and you get an email saying that the code has been used. This means that even if someone finds your backup codes and uses them to access your account, it would be difficult for them to do so undetected.
Enable Authy's Synced Authentication Tokens
One-use codes are OK for emergencies, but if you're looking for a more convenient method (or switch devices often), you can sync your tokens to other devices — like a tablet or a laptop — with a third-party authenticator. As we've discussed previously, Authy is a great app for managing your two-factor accounts on the iPhone, Android, and even your computer. Not only does this give you a "backup" device in case you lose your phone, but it also makes it very easy to migrate your tokens from one device to another (say, if you're getting a new phone). Just sync the new device and deauthorise the old one.
In order to set up synced tokens on your devices, you'll need to first setup Authy as your primary two-factor manager. If you're currently using Google Authenticator or another app to get your codes, you'll need to go to the settings links in the first section and set up Authy as if it were a new device. Then, follow these steps to enable access from a second device:
- Open Settings in Authy on your primary device and tap Devices.
- Enable "Allow multi-device."
- On your second device, install Authy.
- When you first open the app, it will prompt you for a phone number. Enter the phone number of your primary device.
- In the popup that says "Get Account Verification Via", tap "Use Existing Device."
- On your primary device you will get a notification that asks you to verify the addition of a new device. Tap "Accept."
- Type "OK" in the box prompting you to ensure you approve of this decision.
- Go back to Settings on your primary device and tap "Devices" again.
- Disable "Allow multi-device." This prevents any additional devices from being added, while your existing connected devices stay active.
When you're done, you'll have a second device connected to any two-factor services you add to Authy. It's also a good idea to enable a PIN code for all of the devices you've connected to Authy (you'll need to do this for every device individually in Settings). That way, even if someone gets access, it's harder for them to see your codes.
For those concerned about the security of this method: all of your authentication tokens are encrypted locally (using a complex password, not the four-digit PIN that protects the app itself), so neither Authy's servers, nor any snooping third-party along the way should be able to access the tokens. So, unless your adversary is capable of three trillion guesses per second, most average users should be ok to sync tokens. If you're wary of using Authy to sync codes, stick to the one-use backup codes in the section above. Though, even if you don't use the sync feature, Authy is still worthwhile as it offers PIN protection of your codes, while Google's Authenticator app does not.
Get A Replacement Phone For Backup SMS Codes
While some authentication methods require an app, nearly all at least offer the use of an SMS code as a backup option. It's not the most timely solution, but if you lose your phone, getting a backup device will allow you to send text messages to the phone number attached to your account. Once you have a replacement phone, try to log in to your account and select the option that says something to the effect of "Problems with your code?" Typically there will be an option to send a backup code to your phone number.
Obviously, if you haven't set up a phone number attached to your account, you should do so now. Even if you prefer to use authenticator apps instead of SMS, it's important to have the backup option. Some sites will allow you to add multiple backup phone numbers, so if you have a trusted spouse, friend, or even a secondary Google Voice number, you could add that as well.
What To Do If You Get Locked Out (And Haven't Prepared)
Most companies are aware that their customers won't always put best practices into place. While you have several ways to prepare for the worst, stuff happens. Your phone fell down a well, you lost your sticky note with the backup codes, and today just happened to be the day your Google account asked you to re-verify. Bad luck.
You can sometimes still call the company that runs the service you're trying to access. The bad news is, this can often take several business days to fix, assuming the company can do it. Other companies (notably Evernote) will tell you that if the backup options fail, they are unable to provide you with access to your account. This is why it's important to stay on top of your backup options. However, in the event the worst happens, here are some links with information on how (or if) you can get access to your account back for various services:
Changing to a new phone should be fairly easy as long as you're prepared for the process. If you've lost your phone, that's a bit harder, however most problems can be solved with a level of preparation. Two-factor authentication means making it harder to access your account on purpose, so don't just enable it and walk away. Be sure to give yourself options in case the worst happens.
Got your own question you want to put to Lifehacker? Send it using our contact form.