Tell HN: Recovering 2FA accounts is difficult if your phone is stolen

35 points by givemeethekeys ↗ HN
This morning, my phone and wallet were stolen from my car.

I immediately came home, tried logging into my online banking accounts, but couldn't due to 2FA. Fortunately, I was able to call them to have my credit cards locked. Of course, I won't be able to log in until a replacement phone arrives.

I then tried to log into Gmail and Fastmail. No luck without 2FA. No way to recover the account by providing other personal info that I'm aware of.

There should be a way to provide personal info in order to recover an account when one's phone gets stolen.

34 comments

[ 4.3 ms ] story [ 84.1 ms ] thread
This, in a nutshell, is why I try to use VOIP accounts for 2FA where an SMS is required. The problem is that a service provider can tell if your number is a VoIP or a "real" number and refuse to let you use something like a Twilio or Telnyx number -- even though that would be more secure because someone stealing my phone (or SIM swapping me) wouldn't get them anything.

As for TOTP, I'm personally use BitWarden both for storing passwords and TOTP codes as well. Yes, I know this makes my logins all 1FA if someone can crack into my BitWarden account but that would be difficult (short of torturing the password out of me -- at which point regaining 2FA to my accounts isn't my biggest concern).

(This is also why I use a VoIP number for services like Telegram and Signal.)

I use Google Voice as 2FA for institutions that require SMS, and also backup TOTP tokens on a couple USB drives (it’s part of my routine backup checklist I do twice a year). So far haven’t had any problem even when devices failed or when I was abroad without phone coverage.
I add the TOTP to my 1Password vault, I try not to use SMS for 2FA. That said, I should start keeping a list of all my accounts that _require_ SMS for 2FA
I do the same thing with 1Password. I also created a 1Password label/ tag “sms_2fa” that I throw on all the accounts that required it.

Helps keep track of potential weak spots and it’s easy to go through once a year and see if things have improved

In my segment of reality-as-we-know-it, "2FA" _always_ means "SMS."
I always backup my TOTP secrets to a file on my computer. Android apps like Aegis can automate this, by having an encrypted export to a file anytime you add or change a secret. You can use {Nextcloud, syncthing, etc.} to maintain that export file current with your computer.

If your phone is stolen, you can generate codes manually using a TOTP utility, or by restoring the backup to a new/old phone.

"SMS is not 2FA" x10000. Using it as a Second Factor needs to be regulated by law at this point.

Use a U2F or WebAuthn hardware key + backup codes printed somewhere on actual paper.

It's the same failure mode if you s/phone/token/. Except when it's a token lost/stolen we call it good security like we deserve a pat on the back that they're now fucked out of their accounts.

Yeah, I have backup codes "somewhere secure". That's two states away. What's the latest out of the security community? Do they recommend I carry an extra copy of the codes on my person? Store it the rental lodging/car? Tolerate a week of lost access to my most crucial accounts?

I keep the backup codes in an unmarked file with no extension on drop box not tied to my actual email address. It come in handy at least 5 times.
No it is not the same failure mode. One is unencrypted, unauthenticated, can be intercepted, spoofed, stolen, or shut off at whim. The other is a piece of paper.

This isn't hard.

(comment deleted)
Has anyone gotten a reliable setup working on Graphene (or Calyx/Lineage),

including Yubikey apps, I suppose?

This is part of why I bought an iPad that basically should never leave my home. The TOTP Authenticator app I've been using supports iCloud's secure enclave for backups and worst case I can restore a backup on the iPad and still have access to most of my 2FA sources.

(Also yeah, always prefer TOTP to SMS given the choice.)

Would you mind sharing which app you use?
It's dorky and the opposite of "cool", but I've just been using Microsoft's Authenticator for a while. (I was on Windows Phone when I first set up many of my TOTP logins and it was the only trustworthy TOTP app in that store.) It gets the job done, and I've restored from backups across a couple phones now, so I find it reliable enough for my needs.
Thanks! IMHO "cool" is often overrated. :)
SMS OTPs are a vulnerability in the modern age - sim swapping is rife and like you say, it's a usability problem.

As others have mentioned, something like 1Password for TOTP is perfect - multi-device and not tied to any specific device.

This does somewhat defeat the purpose of 2FA though as both factors are stored in the same place.

The purpose of 2FA is to get "something you know" (a password) as well as something you have (your phone or hardware 2FA device). Storing the 2FA secret in a recoverable format and sharing it between devices significantly weakens this security.

A password should not be "something you know" anyway. If you use a password manager (and you should, because there is no way to store 200+ passwords in your head), then it is "something you have" in your password manager, ideally protected with a single master password that you do know.
I switched to two yubikeys for 2FA and keep the secrets encrypted on a cloud hoster.
I'm sorry to hear that, but it's not exactly surprising and is actually a good thing from a security perspective. It's been proven again and again that account recovery processes are ripe for social engineering attacks.

The answer is to make sure you have backups enabled for any accounts where you setup MFA. For example with your Google account you can setup single use codes for account recovery purposes. Write these down and store them somewhere safe.

Thanks for the tip. I didn't know about single use codes.
Get a yubikey, and never use SMS for MFA.
Not every website supports Yubikey, and some only allow SMS.
Use Authy or some other virtual MFA that you can log into from multiple devices
With Google, you can print a card with 10 single use backup codes. You can also register your land line phone number, they will call you and spell out the code.
My approach is to use Authy, which allows for automated backups and/or to save the original QR code image to an offline encrypted store like KeePass.
When you enabled 2FA with google you should have gotten a sheet of one-time codes to use in case of this situation. do you still have it on a compujter somewhere?
> There should be a way to provide personal info in order to recover an account when one's phone gets stolen.

This causes a security weakness by itself and can end up defeating the 2FA.

You need to use a MFA app that has a backup/export feature.

I've seen one that can export the QR codes to a HTML file then you can print the HTML file and you get a nice paper backup of all the codes.

This is not actually a bug but a feature. Google has its own Backup Account Recovery codes which you shouls have on paper in case you are a 2FA user.
For many services like Google and Github you can create backup codes, very helpful in these situations
Authy has all secret keys backed up. So you can install it on other phone and get back access. (Though it requires SMS or existing device to approve log in)