|Too Long; Didn’t Read|
|If you’re not using 2FA, you should.|
|I foolishly reset my phone without ensuring that I had got the backup codes for all the services I added 2FA to.|
|I had to deactivate and reactive 2FA on all the services with varying degrees of success and difficulty.|
|So always download a text file containing backup or recovery codes in case you find yourself without your primary 2FA device. Otherwise, be prepared to lose your data.|
A simple email and password combination is not enough to prevent bad actors (or hackers, if you will) from accessing your account. This is because possession of the credentials does not guarantee that the person accessing a service is the original user. There are several reasons using only passwords is not ideal:
- Bad passwords - Most people are lazy and use very simple passwords, or reuse the same password for every service they sign up for. A malicious user can use a dictionary-based attack (i.e. looking up commonly used strings of letters and numbers) to gain access quickly. If the password used is small, then simple brute force attacks can also be used to gain access. Credentials are leaked online when miscreants bypass the security of a service and dump any data in the public domain that they can get their hands on. At the very least, people should use a Password Manager like Bitwarden. 〈bitwarden〉
- Phishing 〈phishing〉 scams and Social Engineering - People may have secure passwords, but they may get conned by fake sign up forms. They might even keep their passwords written somewhere, and any person with physical access to their workspace can get their credentials.
- No alternative means of access - If a password is the only thing that allows entry, and if the user loses that password, then they may get locked out. Providing additional steps to the authentication process can allow the original user more flexibility, while simultaneously making it harder for third parties to gain access. These reasons pushed the adoption of additional layers of security for authentication.
Often, companies use physical keys, such as special USB sticks, magnetic cards, for authenticating sessions. We deemed this idea viable for adoption for the general user because there’s always one physical means of verification that is almost always available: the smartphone.
In 2020, we estimate that there are about 3.5 billion smartphone users in the world 〈smartphone-users〉. Nearly half the human population. Therefore, it is a safe bet to assume that most of the people who make use of online services have access to a smartphone (their own, or of someone they trust at the very least). These pocket devices can perform general tasks. One of these include being able to store private keys and generate authentication codes for an extra password-like feature. The phones now act as physical security keys that can ensure a very secure way of authentication, without giving up too much on ease of use for the intended end user. They do this by making use of OTPs or One Time Passwords. One way to get OTPs is through email or SMS. Another is through hardware specific authenticator systems.
There are a few apps available on the Play Store, and the iOS App Store that generate 2FA codes. I use Google Authenticator 〈google-authenticator〉, but I also have Microsoft’s version 〈microsoft-authenticator〉, which functions similarly. The codes generated last for about 30 seconds (depending on the service) and then regenerate, rendering the previously generated string of digits ineffective. This method is good because the timing factor is independent of connectivity. Even if the phone has no access to the internet, or cannot receive SMS (and text message based OTPs), we can still rely on the 2FA codes generated. The only bit of information needed is an initial seed that the app can scan from a barcode or a QR code.
What’s the catch?
The downside is the fact that scanned we cannot share keys to another device. The seed is tied to the device physically. This means to move to another device or reinitialise the 2FA service, the feature has to be first disabled. Then we need to renew the 2FA codes using the new device.
Things get significantly more difficult if you lose access to your account and your authentication codes at the same time. Even if you store your passwords in a password manager, you will have no way of accessing your account. You will need to contact the service providers and ask them to delete your account and it’s related data. Then you need to create a new account and ideally set up 2FA again. Only this time, remember to download the backup codes.
Not All Is Lost, Though
There are cases where you can avoid deleting and recreating accounts though.
- If you’re logged in on another device like another phone or a laptop, you can remove 2FA from your account. Then log in with the simple email and password combo. After that, set up 2FA on the new device.
- Some services like GitLab 〈gitlab-recovery〉 allow the use of devices registered with SSH to generate new authentication codes. Log in using one of these codes and head straight to your security tab. Disconnect your 2FA device. Connect new device for the same. Regenerate new backup codes. Download them.
The thing I’m trying to get at is that having at least two devices logged in simultaneously eases the consequences of losing your 2FA access. You can, if you’re lucky, and if the service provides alternative routes, get away with retaining your account and your personal information. Keep in mind that this increases the need to keep more devices secure and away from unauthorised physical access. If you lose your device, assume that all of your data is public, and it compromises the security of all your accounts.
Online security is an increasingly important issue. Especially because we are at a crucial juncture where most of the work we do is moving online. It is high-time we supplement the basic security of the accounts we create with 2 factor authentication systems. Albeit the process is more involved, the extra level of security (and the ensuing peace of mind) is worth it. The only thing to take care of is preserving the backup codes, in case we lose the physical device needed for verification. We are human, and we will make mistakes. It’s about minimising the chances and having some breathing room in case we get ourselves into a pickle.
Thoughts on this post?
If you have something to say about this post like expressing thanks, pointing out errors or seeking further clarification, feel free to contact me!
I try to reply within a week. You can find other ways to contact me in the contact page.