25 comments

[ 2.5 ms ] story [ 67.1 ms ] thread
So how do they suggest you reset these authenticators when your phone breaks?
First, it is a good idea to setup the authentication on multiple devices. This is not hard to do.

Second, if that happens you are in the same situation as with the phone authentication -> so the disadvantage is the same.

It's not possible to have Google authenticator on multiple devices with the same accounts on it.

It's easy to transfer from one to the other but that doesn't remove the single point of failure.

Solution is to have back up codes for each account.

You can just scan the QR code on multiple devices during setup. I have an old junker phone that I use just for this and being a universal remote that never leaves my end-table.
This is how I do it.

But of course, keeping emergency codes is a good idea too.

I use KeePassXC to store and create my TOTPs. If needed, I can (painfully) type the underlying hash into any app.
This is a problem with Google authenticator, not with RFC 6238 TOTP in general. Plenty of authenticator apps support backing up your secrets.
Indeed. I’m trying to move from Google Authenticator to Authy for that reason - but the inability to backup/export from GA is a PITA... a cruel form of vendor lock-in.
No. For two factor authentication to work the solution needs to be practical for most people. So it can’t involve multiple phones or backup schemes most people aren’t going to implement.

Otherwise you’re going to lock a lot of people out of their accounts which is not acceptable.

Ultimately this typically ends up with a reset scheme that depends on phone numbers or email addresses which means the protection, which is as strong as the weakest link, is worthless.

Backup codes on a paper in your wallet. Multiple devices.
Your company is usually given a privileged management interface to reset it for you.

If you work for an organization with their own PKI then there’s probably also an automated self service reset mechanism using a complicated process.

I strongly recommend Aegis on Android. Encrypted backups of the TOTP config, so you can easily recover it all if you lose your phone without having to reset everything, plus biometric support to unlock it.
I literally hate when services and apps force me to use SMS-based authentication.

When I travel I need to use a different SIM to access reasonably priced internet. Because I don't have a double-SIM phone, that means my other SIM is not active at the moment.

Really dangerous trend is when this SMS confirmation is requested when I don't expect it. Once I was in the Philippines and AirBnb wanted me to verify my authentication attempt. It can be not only frustrating, but dangerous - I have accommodation scheduled and without the access to my home number I could be easily left on the streets in a foreign country.

And my last complaint -> SMS can arrive pretty late when you are in a foreign country. Sometimes too late that the authentication window is closed.

This.

With roaming and rampant robot calls, phone numbers should basically be considered no more static than IPs.

There's a reason iMessage/WhatsApp took over from legacy SMS.

I use cheap android(100$) and that country's SIM, with Verizon (think TMobile also) the phone will work BAU when connected to WiFi in other countries, you will get your normal calls and SMS just as if you are in US.
I am not American, but it doesn't matter.

Yes, of course I can have a second phone or other solution. The point is that SMS-based auth is just worse than the alternatives.

I got a number through https://jmp.chat/ to solve this. Instead of using my real phone number, I use the VOIP number which is accessible over XMPP. Unlike most VOIP nubmers it works with short code numbers. Most services will use the number a couple are dumb and refuse to send messages to it.
Occasionally my logged in Microsoft apps all suddenly re-request the 2f thing. Sometimes in the middle of the night. And when the 2f window pops up you can't tell which app has generated it.
And yet Azure login forces me to use SMS for 2FA.
I use Azure and haven't experienced that to be fair.
It may depend on your AD admins, to be fair. But still, it should be heavily discouraged, if not impossible.
Most of the mentioned attacks are not likely to be used against random members of the general public. And the problems of networks handing out new SIM cards for existing accounts without verifying ID seems to be mostly a US problem.