Ask HN: How do you start over with 2FA after losing your phone?
I left my iPhone in a cab in Costa Rica by mistake. I may as well have thrown it into a volcano.
I have 2FA set up on three dozen different and important online accounts, and it's all through the Google Authenticator app on that iPhone.
Is there a recommended way to go about this problem?
Or have I locked myself out of my entire life?
111 comments
[ 4.4 ms ] story [ 180 ms ] threadThere are two possible outcomes from contacting support for a service, asking to regain control over a 2FA-protected account, both which sucks, but on different levels.
1. You write them, proving who you are, and they tell you to get lost unless you have the 2FA proper codes, or backup codes. This sucks because you still didn't get access.
2. You write them, proving who you are, and they give you access to your account, so you can reset 2FA. This sucks because this means the service is not secure and you/others can be "hacked" because customer support can be exploited.
Backup codes come from the service which is 2FA protected anyways, not from the 2FA authenticator itself.
Edit: oh, reading your message again, are you referring to SMS-based 2FA? I assumed TOTP 2FA in this submission. If you mean SMS-based 2FA, then yeah I agree, makes your account less secure than not having 2FA at all.
If your phone based code system is also available on other accounts, and you can access those other accounts without the phone then maybe. However many people only have a phone, and no other computer (or at least not a computer they use often enough that we can trust the 2fa isn't expired).
The 2fa I've seen mostly has a SMS based fallback, and thus is no more secure than SMS.
Well, you could if you want to. That you don't want to, is a failure on your part, not on "everyone"'s part, since most phones do offer you the feature of setting a sufficiently secure password.
> However many people only have a phone, and no other computer (or at least not a computer they use often enough that we can trust the 2fa isn't expired).
You don't need a second device in order to backup your codes. By leveraging "cryptographic splitting" you can divide a secret into N parts and share them with friends and family, and if you need to regain access, ask them each for their part back and then you can recover from there. Now I guess that's kind of advanced so most people won't/can't do that, but it is possible at least. You could try something like https://iancoleman.io/shamir/ if you're curious about the process, I've done this myself for some things.
Easier solution is to create a encrypted archive with your backups, and upload to various cloud services. As long as the encryption scheme is secure, you'll be safe.
> The 2fa I've seen mostly has a SMS based fallback, and thus is no more secure than SMS.
I'm using TOTP 2FA for 100% of every service I use and that offers it. I think only one requires SMS-based fallback, the rest are optional so obviously I'm not using that.
You mean that you specifically do not have a secure password on your phone because you chose not to. The rest of us use finger print sensors or facial recognition to make our devices as secure as can be. Your argument applies only to you and a handful of people.
The SMS fallback is always combined with your finger print in all applications I've used.
Disable biometrics when handing the phone to somebody else or even remotely (e.g. mark as lost via “find my”).
Good compromise of usability and security.
I never use biometrics to unlock my phone or computer for that reason.
thanks! i always wondered
If this situation happens you can rapidly press the home button with the wrong finger and the phone will demand a pin code. Or you could turn it off. I don't know what recourse people with face unlock have.
I think you’re overextrapolating from your experience. I‘ve used Face ID on my phone for 5-6 years now, and the fingerprint sensors on my recent devices have been very reliable.
The password itself was generated randomly and I managed to memorise it (it took a while).
Loss of a phone with a 2FA authenticator app isn't a security problem, unless one failed to make backups of the 2FA secrets for restauring.
... or re-initialize 2FAs from their original seeds, which are typically hidden under a "set up manually" option during the enrollment process.
I'm concerned about the online accounts for which I don't have backup codes.
Is this a bad way to do backup?
With adequate proof and justification I think you should be able to get back your accounts, that is if your service does allow you to get back your account. One tip is to have multiple phones for 2fa and then just not using the other phone, if you don't use it how can you lose it? (that's what I did since I lost it once).
We really need a third party service that allows you to walk up, have some DNA taken, verify you are who you say you are, and then unlock accounts in these cases. We can have the government do it, they have all our DNA anyway!
If not, you can try reaching out to customer service after you get a new SIM card.
For banking and everything else IRL, you can just walk up to the teller with your ID.
Also: Didn't you backup the 2FA codes somewhere else where you can "sync" them in?
I use Bitwarden Authenticator for 2FA (part of Bitwarden Pro) and it syncs my 2FA codes to all devices where I log on to Bitwarden. That way I avoid a single point of failure. Consider that the next time around :)
As a meta-comment on this thread itself... That even people here on HN can enable and make use of 2FA incorrectly is the reason it will never be a viable way to protect accounts for "everyone and their grandmother".
It's too complex, and we need something better.
The recovery codes as implemented are not useful backups for most people. Telling people to use them is the wrong answer.
Sadly I know the above, but I don't have a better solution. It is a hard problem.
I'm concerned about the online accounts for which I don't have backup codes.
Without those options, now that you lost the only second factor, you have to reach out and convince the service providers that you're you. Good luck.
You can prevent this for the future by pretend you can read the QR codes and getting the secret string allowing you to set up across multiple devices.
Your best best would be contacting support for individual accounts and hoping you have enough historical information to be approved access.
My solution, trust in 1Password and it's encryption, I have access to my 2fa anywhere I need but it a computer, phone, tablette.
Soon it will be passkeys and they'll be safe in the 1Password vault, no worrying about losing the device w/ the keys again.
Putting second factor material in password managers is terrible advice. For reasons unknown to me, it might be the right solution for you. But in general, it defeats the two factor authentication purpose if you reduce the factors again to knowledge alone.
The whole point of tfa is, that the second factor is something you possess and not something you know (which is the first factor).
For the more common attacks I expect to encounter, namely a single password being leaked, a password manager is still based on something I "possess" (to an extent) - the decrypted password vault. It's separate from the single password that's likely to have been compromised in the most common scenario.
Of course, if my whole vault is compromised, then yes, storing my 2-factor in there made my life worse than the alternative. I just don't see that as anywhere near as likely a scenario as an individual account being compromised. Having 2-factor enabled in a less secure method is still better than not having 2-factor enabled at all.
Basically, there's nuance to this, it's not the extreme you present - a more in-depth comment on this: https://security.stackexchange.com/questions/150448/is-it-se...
It was in my hand one second and then I got out and it wasn't.
I've had to contact each organization I have 2fa with and get 2fa reset through personal identification measures.
For my company that meant a quick zoom call. For banking that meant driver's license scans and photos of me.
You'll have to work with your 2fa providers.
Restore the backup of your phone which you have locally in iTunes, or in iCloud.
(And, before you lose it, take a backup)
If you have the recovery codes and got access again, then you can get a bit more redundancy in your system by also setting up security keys such as a Yubikey. These keys can be added next to your authenticator app(s).
If you don't have the backup codes or the one-time codes, you're going to have a problem and you'll need to contact the services to somehow let you in or take off 2FA. Depending on what the service is, it might get very tedious.
Does it block you from taking a screenshot? Maybe you could screenshot it and then zoom in the gallery app.
If you can get a copy of that QR code off of the small device using the photo trick, besides using it to import your accounts to Google Authenticator (GA) on your new device you might consider extracting the codes from the backup so you can store them someplace secure separately. That way you can use them to set up TOTP apps other than GA.
Here's how you could do that. First, you need to get the QR code from GA to something that can read the QR code and display its contents. The text in the GA code is otpauth-migration://offline?data=... where the ... part is apparently a base64 encoded Google protocol buffer.
Once you've got that otpauth-migration URL this program that showed up when searching for information on those URLs can help: otpauth [1].
will decode it and give you the otpauth://totp URLs that were in the original QR codes that you originally set up your accounts with. will generate a PNG file for each account, name after the account name and site name, and containing the QR code for the account.Going forward, save those PNGs somewhere secure (I use an encrypted tar file). Any new accounts you set up save the QR codes for those as PNGs and add them to your collection. If you keep that collection up to date you will be able to readily handle any device updates or replacements readily or adding new TOTP apps.
[1] https://github.com/dim13/otpauth
FWIW, this is the reason I use Authy, it works nicely with backup/restore. Beware that Authy has a cloud backup/multi device function that I personally keep off. Another option would be 1password, though I’d personally won’t mix passwords and 2fa codes in the same app.
Assuming the worst case where you can’t recover the codes, and assuming it course you never stored the offline codes, you have to go through the process of recovering 2fa.
This usually requires submitting documents that prove who you are, and waiting 1-2 weeks. So the only recommendation is to begin this process asap.
And while you re-setup 2fa make sure you either keep a backup or use an app that works when you backup+restore your phone, Im sure others will provide more options. Good luck!
My old phone died and I had no way of getting into some of my 2FA secured accounts a while back and it was a wakeup call that eventually led to using Authy.
Providing any services that I don't have backup codes with identity documents solve the problem. Never had issue with any service but it's annoying.
If you have to use TOTP codes be religious about saving your backup codes. Otherwise, using multiple security keys means you can recover from losing one, with the bonus of phishing protection (since they can't be tricked into supplying your codes to the wrong domain).
I'm not sure what avoiding Google Authenticator has to do with that. You can store the keys separately for any TOTP app. That's kind of inherent in the way TOTP works.