Tell HN: Recovering 2FA accounts is difficult if your phone is stolen
This morning, my phone and wallet were stolen from my car.
I immediately came home, tried logging into my online banking accounts, but couldn't due to 2FA. Fortunately, I was able to call them to have my credit cards locked. Of course, I won't be able to log in until a replacement phone arrives.
I then tried to log into Gmail and Fastmail. No luck without 2FA. No way to recover the account by providing other personal info that I'm aware of.
There should be a way to provide personal info in order to recover an account when one's phone gets stolen.
34 comments
[ 4.3 ms ] story [ 84.1 ms ] threadAs for TOTP, I'm personally use BitWarden both for storing passwords and TOTP codes as well. Yes, I know this makes my logins all 1FA if someone can crack into my BitWarden account but that would be difficult (short of torturing the password out of me -- at which point regaining 2FA to my accounts isn't my biggest concern).
(This is also why I use a VoIP number for services like Telegram and Signal.)
Helps keep track of potential weak spots and it’s easy to go through once a year and see if things have improved
If your phone is stolen, you can generate codes manually using a TOTP utility, or by restoring the backup to a new/old phone.
Use a U2F or WebAuthn hardware key + backup codes printed somewhere on actual paper.
Yeah, I have backup codes "somewhere secure". That's two states away. What's the latest out of the security community? Do they recommend I carry an extra copy of the codes on my person? Store it the rental lodging/car? Tolerate a week of lost access to my most crucial accounts?
This isn't hard.
including Yubikey apps, I suppose?
(Also yeah, always prefer TOTP to SMS given the choice.)
As others have mentioned, something like 1Password for TOTP is perfect - multi-device and not tied to any specific device.
The purpose of 2FA is to get "something you know" (a password) as well as something you have (your phone or hardware 2FA device). Storing the 2FA secret in a recoverable format and sharing it between devices significantly weakens this security.
The answer is to make sure you have backups enabled for any accounts where you setup MFA. For example with your Google account you can setup single use codes for account recovery purposes. Write these down and store them somewhere safe.
This causes a security weakness by itself and can end up defeating the 2FA.
You need to use a MFA app that has a backup/export feature.
I've seen one that can export the QR codes to a HTML file then you can print the HTML file and you get a nice paper backup of all the codes.