The ugly side of 2FA
How not to use 2 Factor Authentication!
I like security. I like to keep up to date, and I use 2 factor authentication on most if not all of my online accounts. I got to the point where I had that warm fuzzy feeling that I actually knew what I was doing. I’ve had a wild last couple of weeks that were not fun for me but hopefully you’ll get a laugh or 2 out of it.
Go get yourself a coffee and come back. You’re going to want to pay attention on this one.
I recently had to send my trusty two year old OnePlus 3 to get service due to a battery that died over time. During the weeks my smartphone went on vacations to Poland, I got to use this thing that I kept in an old shoe box:
Mine looks even older than the photo of course.
So I got to trade in my mobile internet access in exchange for the classic Snake game, another fancy space shooter game, 7 days of battery per charge and some old SMS messages from 2010.
I goofed around with people telling them something like “Have I shown you that funny picture of my dog yet?” or in other cases “Let me take a picture of that!” and then taking out this old thing from my pocket. Hardly failed to get a laugh!
Backing up a smartphone - the professional way
Now let’s go back in time to when I still had access to all of my accounts and Gmail on my phone. I was careful, of course, and before shipping my phone to warranty I backed up what I could remember. Contacts, photos and movies, some downloads I had accumulated over time and that’s pretty much it.
I even made a checklist with everything that needed backing up which really made it look like I know what I was doing. Previously I had logged in to my Google account and in the security menu I saw an option for the Google Authenticator which reassured me that no backing up would have to take place for this app:
Clicking the Change Phone option once I had my phone back would be all that I’d need to do!
If you’re familiar with Murphy’s law you’ve already figured it out, but not me. At this point in time I’m worried about how bad I’ve become at Snake from all of the years I stopped playing.
I mean… Phones get lost all the time, right? Or stolen…? Right? If I have a Google Authenticator account it’s just going to sync back once I reinstall the app.
The Google Authenticator app does not have backup behaviour, and the option listed above is only to reset the 2FA key for my Google account. It does not concern any other keys I had on the Authenticator app.
I found out I was in deep shit when I was trying to access an account for a website that will remain unnamed. I load up the login page on my laptop, promptly inserted my credentials and took a sip of water. When I looked back at my screen asking for the 2FA token, I went “oh yeah” and reached for my pocket and took the trusty Nokia 1100 out of my pocket, increasingly slowly as I realised what I had done and the trouble I was going to have to go through, not even considering that some of the accounts could be gone for good.
Have you ever gotten one of those sinking feelings when you know you really messed up?
As I looked at the blinking cursor waiting for my input in the final login step, my brain scrambled into enumerating all of the accounts I might have locked myself out of, as well as backup methods to get back in.
Agony, anguish, affliction
8 accounts affected. You can imagine some of them, of course. GitHub, all of my social media accounts, plus others I’m not really keen on sharing.
Social media accounts already have a backup 2FA method - your phone number, if you were willing to share it before. GitHub also asked for my phone number pretty early on so I didn’t lose that account.
There were 2 particular anonymous accounts which unfortunately were locked out - one because of a buggy backup 2FA step, and another because I was stupid enough not to write the backup key somewhere knowing that I had no phone number linked to that account. I think I wrote it down, but I’ve scoured my flat and there seems to be no piece of paper with a 16 character sequence like the ones Google Authenticator uses. 😞
I was able to get access to the account on the website with the broken 2FA backup step with an email in a few days. The other one… Was almost lost for good.
The good people at the company where the account is held were firm in telling me I would not regain access unless I proved to be the owner of the account1, which ultimately ended up with me sending tons of information for them to cross-reference2.
I am now more aware that using 2FA correctly takes some work. I have made arrangements for several backups to be stored in printed form at secure locations in different continents. I will also keep encrypted copies in an external drive.
Fortunately, despite my idiocy, I was able to eventually regain access to all accounts. But the reason I am writing about this aside from the comedy factor, is that maybe you have an account that has 2FA enabled without a proper backup set up. This is your reminder to do it soon, else you might end up like I did, or worse.
- which is a good thing, it gave me confidence that in an eventual impersonation attempt or even if my email account was breached, they would not hand over the account to any wrong-doer.
- in case you’re wondering what I had to give, the list of information includes my history of IP addresses, dates and times of the last successful logins and last significant account changes. Some of this information was missing, but I had other smaller pieces of data that, in tandem with the first items on this list made it enough to prove the ownership of my account.