Ask HN: How do you start over with 2FA after losing your phone?

78 points by jononomo ↗ HN
I left my iPhone in a cab in Costa Rica by mistake. I may as well have thrown it into a volcano.

I have 2FA set up on three dozen different and important online accounts, and it's all through the Google Authenticator app on that iPhone.

Is there a recommended way to go about this problem?

Or have I locked myself out of my entire life?

111 comments

[ 4.4 ms ] story [ 180 ms ] thread
Use your backup codes that you've downloaded and safe-kept somewhere (you did this right?). If not, I'm afraid you're out of luck.

There are two possible outcomes from contacting support for a service, asking to regain control over a 2FA-protected account, both which sucks, but on different levels.

1. You write them, proving who you are, and they tell you to get lost unless you have the 2FA proper codes, or backup codes. This sucks because you still didn't get access.

2. You write them, proving who you are, and they give you access to your account, so you can reset 2FA. This sucks because this means the service is not secure and you/others can be "hacked" because customer support can be exploited.

This is why phone based 2fa is not secure and not recommended. Sure it is easy, but it isn't secure in important ways
What? Where the 2FA codes come from isn't relevant, as long as the device (laptop, phone, desktop, hardware) is protected in some way or another (like password).

Backup codes come from the service which is 2FA protected anyways, not from the 2FA authenticator itself.

Edit: oh, reading your message again, are you referring to SMS-based 2FA? I assumed TOTP 2FA in this submission. If you mean SMS-based 2FA, then yeah I agree, makes your account less secure than not having 2FA at all.

I'm pretty sure he talks about totp too.
Nobody has a secure password on their phone, so your requirement fails. There is no way to get a secure password on a phone as one of the requirements of a phone is quick access, and no fast password is secure. (maybe finger prints, but I have found them unreliable and so I quit using them)

If your phone based code system is also available on other accounts, and you can access those other accounts without the phone then maybe. However many people only have a phone, and no other computer (or at least not a computer they use often enough that we can trust the 2fa isn't expired).

The 2fa I've seen mostly has a SMS based fallback, and thus is no more secure than SMS.

> Nobody has a secure password on their phone, so your requirement fails.

Well, you could if you want to. That you don't want to, is a failure on your part, not on "everyone"'s part, since most phones do offer you the feature of setting a sufficiently secure password.

> However many people only have a phone, and no other computer (or at least not a computer they use often enough that we can trust the 2fa isn't expired).

You don't need a second device in order to backup your codes. By leveraging "cryptographic splitting" you can divide a secret into N parts and share them with friends and family, and if you need to regain access, ask them each for their part back and then you can recover from there. Now I guess that's kind of advanced so most people won't/can't do that, but it is possible at least. You could try something like https://iancoleman.io/shamir/ if you're curious about the process, I've done this myself for some things.

Easier solution is to create a encrypted archive with your backups, and upload to various cloud services. As long as the encryption scheme is secure, you'll be safe.

> The 2fa I've seen mostly has a SMS based fallback, and thus is no more secure than SMS.

I'm using TOTP 2FA for 100% of every service I use and that offers it. I think only one requires SMS-based fallback, the rest are optional so obviously I'm not using that.

> Nobody has a secure password on their phone, so your requirement fails. > maybe finger prints, but I have found them unreliable and so I quit using them

You mean that you specifically do not have a secure password on your phone because you chose not to. The rest of us use finger print sensors or facial recognition to make our devices as secure as can be. Your argument applies only to you and a handful of people.

The SMS fallback is always combined with your finger print in all applications I've used.

How long is the pin code that can be used to log-in into your phone and likely must be used when you restart it? 4-6 digits?
Use a long passphrase and unlock via biometrics.

Disable biometrics when handing the phone to somebody else or even remotely (e.g. mark as lost via “find my”).

Good compromise of usability and security.

Biometric phone security is only secure until a judge or police officer compels you to unlock your phone; and legally you must comply, because your face or finger aren't speech. However, if you use a passphrase, (at least in the US and other countries with string freedom of speech laws) you can't be legally compelled to unlock the phone, as that would impinge on freedom of speech.

I never use biometrics to unlock my phone or computer for that reason.

On iPhones you can press Volume Down + Power to disable biometrics (faceid) before you hand it to somebody else or when going through customs etc. It will require your passphrase to unlock then.
so the main usecase of this feature is to defeat the nice policeman/customs officer?

thanks! i always wondered

That certainly is a case. Or they could torture and threaten you to give the password.

If this situation happens you can rapidly press the home button with the wrong finger and the phone will demand a pin code. Or you could turn it off. I don't know what recourse people with face unlock have.

Android: long press power, tap lockdown. Your entire point is now just inaccurate. I do this when going through security checkpoints, if I were to get pulled over, and Android auto trihgers it under abnormal conditions upon which I have a decently long device-specific password.
On iOS you can disable face and Touch ID with Siri “who’s phone is this” or by tapping the power button.
> Nobody has a secure password on their phone, so your requirement fails. There is no way to get a secure password on a phone as one of the requirements of a phone is quick access, and no fast password is secure. (maybe finger prints, but I have found them unreliable and so I quit using them)

I think you’re overextrapolating from your experience. I‘ve used Face ID on my phone for 5-6 years now, and the fingerprint sensors on my recent devices have been very reliable.

Idk how secure this is, but my iPhone is protected with Face ID and a 16-character long password with a mix of upper and lower case letters, numbers and symbols.

The password itself was generated randomly and I managed to memorise it (it took a while).

What is recommended?
No, SMS-based 2FA is the security problem due to SIM-swapping attacks.

Loss of a phone with a 2FA authenticator app isn't a security problem, unless one failed to make backups of the 2FA secrets for restauring.

I so wish u2f/yubikey was supported on all websites :-(
I use the yubikey authenticator app for the ones that don't. The secrets are saved on the key and you can password protect it... and as with all keys back it up to your spare.
When you're traveling to Costa Rica, where do you keep your spare? Do you stay locked out until you get home? What if you're a nomad and you don't have a 'home'?
One of my spares is usually with my spouse (it's still password protect) and if both get lost I kinda deserve to be logged out until I get home.
> Use your backup codes that you've downloaded and safe-kept somewhere

... or re-initialize 2FAs from their original seeds, which are typically hidden under a "set up manually" option during the enrollment process.

I have backup codes saved in 1Password for maybe 10% of the online accounts with which I use 2FA + Google Authenticator.

I'm concerned about the online accounts for which I don't have backup codes.

I have Google Authenticator and Authy running on both my iPhone and my iPad (which always stays at home)

Is this a bad way to do backup?

This is what the recovery/backup codes are for. Unless you have saved them somewhere i would assume you have lost access unless each service has a support path for you
This same thing happened to me with Discord once, I just wrote to them and filed a complaint saying my account got "hacked" and that the hacker changed the 2fa mobile number.

With adequate proof and justification I think you should be able to get back your accounts, that is if your service does allow you to get back your account. One tip is to have multiple phones for 2fa and then just not using the other phone, if you don't use it how can you lose it? (that's what I did since I lost it once).

Why did you decide to lie in your complaint?
Yeah, this is disturbing. He's admitting he used social engineering to get back into his own locked account and he's happy that it worked. Assuming he did this over email / web the "proof" he sent them was probably a photo of driver's license which really doesn't prove ownership of identity when your account was just hacked.

We really need a third party service that allows you to walk up, have some DNA taken, verify you are who you say you are, and then unlock accounts in these cases. We can have the government do it, they have all our DNA anyway!

This isn’t secure against evil twins.
Pretty much every single one of these threads is about half full of people demanding more, larger foot-guns with which to shoot themselves because they just can't be bothered (just assure you'll hear when they're eventually locked out, etc).
As specified when activating MFA, did you download (and print) your backup codes? If so, use them to re-enroll a new device into MFA.

If not, you can try reaching out to customer service after you get a new SIM card.

For banking and everything else IRL, you can just walk up to the teller with your ID.

Using an auth app that supports encryted cloud backups, like bitwarden, ms auth, etc
If the site supports FIDO2 I use my yubikey.
When you enable 2FA you are on pretty much every service asked to download recovery-codes, and save them somewhere safe. Did you do that, and if not, why not?

Also: Didn't you backup the 2FA codes somewhere else where you can "sync" them in?

I use Bitwarden Authenticator for 2FA (part of Bitwarden Pro) and it syncs my 2FA codes to all devices where I log on to Bitwarden. That way I avoid a single point of failure. Consider that the next time around :)

As a meta-comment on this thread itself... That even people here on HN can enable and make use of 2FA incorrectly is the reason it will never be a viable way to protect accounts for "everyone and their grandmother".

It's too complex, and we need something better.

Where do you download those codes that is safe and secure? Everything I can think of, I can also think of a counter that means that mode is likely to fail. I'm a professional in the computer industry, so i'm more aware of possible failure modes than most people, but I also am aware of safe storage modes that most people don't have.

The recovery codes as implemented are not useful backups for most people. Telling people to use them is the wrong answer.

Sadly I know the above, but I don't have a better solution. It is a hard problem.

Security is layered. A backup code is only useful with the password, and your password is only useful with a second factor. You can be fairly liberal with storing your backup codes: make a couple of copies, keep them in secure places (one at home, one in your office). I agree that backup codes aren’t perfect but they’re pretty robust.
Download, print, and store them in a safe or safe deposit box. It's not like people lose their phone often.
I have the backup codes of my most important account (email) printed and in my wallet. Without a hint to which account they belong. This helped me multiple times, where my phone was not available. I would recommend this to everyone, who uses 2fa.
I have backup codes saved in 1Password for maybe 10% of the online accounts with which I use 2FA + Google Authenticator.

I'm concerned about the online accounts for which I don't have backup codes.

The solid way to do it is to have a backup, like another second factor enrolled and stored in a safe place. Or to have recovery codes.

Without those options, now that you lost the only second factor, you have to reach out and convince the service providers that you're you. Good luck.

Unfortunately not unless you have recovery codes.

You can prevent this for the future by pretend you can read the QR codes and getting the secret string allowing you to set up across multiple devices.

Your best best would be contacting support for individual accounts and hoping you have enough historical information to be approved access.

I've never trusted a single device for two factor authentification,

My solution, trust in 1Password and it's encryption, I have access to my 2fa anywhere I need but it a computer, phone, tablette.

Soon it will be passkeys and they'll be safe in the 1Password vault, no worrying about losing the device w/ the keys again.

So ... your solution is no tfa?

Putting second factor material in password managers is terrible advice. For reasons unknown to me, it might be the right solution for you. But in general, it defeats the two factor authentication purpose if you reduce the factors again to knowledge alone.

The whole point of tfa is, that the second factor is something you possess and not something you know (which is the first factor).

There are multiple attack vectors that 2-factor helps with, and storing your 2-factor alongside your password does still help in some, just not all.

For the more common attacks I expect to encounter, namely a single password being leaked, a password manager is still based on something I "possess" (to an extent) - the decrypted password vault. It's separate from the single password that's likely to have been compromised in the most common scenario.

Of course, if my whole vault is compromised, then yes, storing my 2-factor in there made my life worse than the alternative. I just don't see that as anywhere near as likely a scenario as an individual account being compromised. Having 2-factor enabled in a less secure method is still better than not having 2-factor enabled at all.

Basically, there's nuance to this, it's not the extreme you present - a more in-depth comment on this: https://security.stackexchange.com/questions/150448/is-it-se...

You're assuming a compromised password == compromised 1Password vault which is clearly not going to be the case most of the time
I think you have iPhone backup on icloud. If you get your phone number back, you can unlock your life again.
This is crazy haha. I literally just left my phone in a cab(tuktuk) in Costa Rica a couple weeks ago.

It was in my hand one second and then I got out and it wasn't.

I've had to contact each organization I have 2fa with and get 2fa reset through personal identification measures.

For my company that meant a quick zoom call. For banking that meant driver's license scans and photos of me.

You'll have to work with your 2fa providers.

> "Is there a recommended way to go about this problem?"

Restore the backup of your phone which you have locally in iTunes, or in iCloud.

(And, before you lose it, take a backup)

When setting up 2FA, the services typically give a list of recovery codes which you hopefully still have. With those, you can gain access and link other 2FA devices.

If you have the recovery codes and got access again, then you can get a bit more redundancy in your system by also setting up security keys such as a Yubikey. These keys can be added next to your authenticator app(s).

You can back up your 2FA codes to another phone, at least Google Authenticator lets you do this. An old phone is the easiest, most convenient way to do this since it has a camera that you can use to scan the code on your main phone.

If you don't have the backup codes or the one-time codes, you're going to have a problem and you'll need to contact the services to somehow let you in or take off 2FA. Depending on what the service is, it might get very tedious.

BTW this process is broken with small display. I have a very tiny Android phone and to backup the codes I need to scan an QR code on this small display, which isn't working out. The resolution is too small. And there is no other way to backup Google Authenticator I am aware of. So be careful in smaller display, you probably cannot backup Goggle Authenticator.
There is on a rooted android phone with an adb shell

    sqlite3 /data/data/com.google.android.apps.authenticator2/databases/database \
          'select email,secret from accounts'  
not aware of any other way on none rooted/ios
You may have tried this already, but the QR code gets bigger the more entries you export - have you tried selecting them one at a time?
Ah, did not knew that, just check it out. Thanks for the hint. Uh, if I select only one entry the QR code gets smaller in itself. So basically same problem still. facepalm :-D
> if I select only one entry the QR code gets smaller in itself

Does it block you from taking a screenshot? Maybe you could screenshot it and then zoom in the gallery app.

Yes, it blocks on purpose to take screenshots.
Maybe take a photo with the new device of the small screened old device displaying the QR code and zoom that photo, and then move the zoomed photo to somewhere that the new device's camera can try to scan it?

If you can get a copy of that QR code off of the small device using the photo trick, besides using it to import your accounts to Google Authenticator (GA) on your new device you might consider extracting the codes from the backup so you can store them someplace secure separately. That way you can use them to set up TOTP apps other than GA.

Here's how you could do that. First, you need to get the QR code from GA to something that can read the QR code and display its contents. The text in the GA code is otpauth-migration://offline?data=... where the ... part is apparently a base64 encoded Google protocol buffer.

Once you've got that otpauth-migration URL this program that showed up when searching for information on those URLs can help: otpauth [1].

  otpauth --link otpauth-migration://offline?data=...
will decode it and give you the otpauth://totp URLs that were in the original QR codes that you originally set up your accounts with.

  otpauth -qr --link otpauth-migration://offline?data=...
will generate a PNG file for each account, name after the account name and site name, and containing the QR code for the account.

Going forward, save those PNGs somewhere secure (I use an encrypted tar file). Any new accounts you set up save the QR codes for those as PNGs and add them to your collection. If you keep that collection up to date you will be able to readily handle any device updates or replacements readily or adding new TOTP apps.

[1] https://github.com/dim13/otpauth

In developer settings you can change the minimum width. Iirc a larger number makes the UI smaller (tablet style). You can try that if the display is fundamentally large enough. And/or screenshot and zoom in in the gallery. Or use apps like scrpy maybe?
If you have a backup, try to restore it on your new iphone. In the vast Google Authenticator didn’t restore, but I read it may now?

FWIW, this is the reason I use Authy, it works nicely with backup/restore. Beware that Authy has a cloud backup/multi device function that I personally keep off. Another option would be 1password, though I’d personally won’t mix passwords and 2fa codes in the same app.

Assuming the worst case where you can’t recover the codes, and assuming it course you never stored the offline codes, you have to go through the process of recovering 2fa.

This usually requires submitting documents that prove who you are, and waiting 1-2 weeks. So the only recommendation is to begin this process asap.

And while you re-setup 2fa make sure you either keep a backup or use an app that works when you backup+restore your phone, Im sure others will provide more options. Good luck!

+1 for Authy, though I keep the backups and multi-device turned on for convenience.

My old phone died and I had no way of getting into some of my 2FA secured accounts a while back and it was a wakeup call that eventually led to using Authy.

Our org is using a mix of Google Authenticator and Authy, but I am currently trialing https://2fas.com/ which is an opensource application that work with iOS backups.
I know it doesn’t help now, but next time use Authy instead of Google Authenticator. It can sync to multiple devices. I have it synced to my laptop so if I lose my phone, I still have Authy on my laptop with all 2FA.
Microsoft Authenticator also provides the same.
(comment deleted)
Hopefully you have recovery codes for all these accounts. With that said, I don't like to rely on these recovery codes bc of some horror stories. Alternatively when setting up 2FA, you can for example: - use Authy bc it syncs tokens in the cloud and so you can recover your 2FA tokens on a new phone based on your phone nbr. I used to do that but have stopped bc Twilio (owner of Authy) is slowly retiring the product. - Keep a copy of each token when you set up 2FA. I keep an encrypted disk image with a list of my 2FA tokens. Yes, it weakens a little bit the security. But I sleep well bc I won't lock myself out in case of trouble. It's a trade-off I embrace.
Can't you get the seed values out of Google's Authenticator (which is TOTP?)? I would put these somewhere safe--rather than save a bunch of backup codes.
Happens all the time when I get a new phone because for some reason Auhenticator (MS) never transfers the authentication codes while setting up new iPhone (just why?).

Providing any services that I don't have backup codes with identity documents solve the problem. Never had issue with any service but it's annoying.

If you’re reading this and don’t have backup codes for Google auth stored somewhere offline then this is your wake-up call to do it now.
Not a solution for the OP, but to anyone else reading: do not set up 2FA with a single point of failure. If you lost any one thing, would you be locked out like the OP?

If you have to use TOTP codes be religious about saving your backup codes. Otherwise, using multiple security keys means you can recover from losing one, with the bonus of phishing protection (since they can't be tricked into supplying your codes to the wrong domain).

Backups: you MUST have a backup! One thing I do is avoid proprietary apps like Google Authenticator and make sure I store the TOTP key separately so I can reconstitute my TOTP codes in another app if necessary. Backups are kept on a backup handset, on my computer, and in an encrypted volume in the cloud at a minimum. What's a little harder to deal with are the services/providers that insist on SMS 2FA (and not to a VoIP number).
> One thing I do is avoid proprietary apps like Google Authenticator and make sure I store the TOTP key separately so I can reconstitute my TOTP codes in another app if necessary

I'm not sure what avoiding Google Authenticator has to do with that. You can store the keys separately for any TOTP app. That's kind of inherent in the way TOTP works.

For the services that don’t allow their keys to be included in the backup this is a common occurrence and they will probably have a support system that will allow you to reset the authentication. Which makes 2fa worthless theatre but that’s reality.