Ask HN: Do you carry an old phone when travelling as a 2FA backup?

1 points by red369 ↗ HN
After reading another HN comment, I'm wondering what people have as a back-up for 2FA when going on holiday.

Now that it's often allowed, I usually have an old phone stashed in my check-in bag. Is that common practice? Is there something simpler I'm not thinking of?

21 comments

[ 8.4 ms ] story [ 80.0 ms ] thread
Yubikey or equivalent.

You don’t necessarily need a second phone. You may need a second phone number in your home country that you can get calls and SMS anywhere. VOIP services such as Google Voice, Hushed, Skype work, but test first because some banks etc. won’t accept VOIP numbers.

I have travelled full-time for over 12 years. I carry one phone, an iPad, have three email accounts, two US numbers (Google Voice and Hushed), a local number wherever I stay (e-SIM), a Yubikey and backup key. Have never needed a second phone.

> banks etc. won’t accept VOIP numbers

Use a VOIP number in the UK, they usually can't tell.

If you want a bulletproof solution for a US number though, spend $10/month for an additional SIM card and bona fide mobile number that goes to an separate, eternally stationary mobile device in your home country that forwards SMS to your e-mail or some other UI you can access from a public internet terminal, in case your phone is stolen, bricked, or held hostage.

You can do that with a “real” Twilio number and skip the second phone.

All of my US banks and credit cards accept VOIP numbers now. A few did not when I first started traveling.

Most of my US banks work with VOIP numbers.

Chase, for one, does not.

I have Chase credit cards, they accept my Hushed number. Don’t have a Chase bank account. I use Schwab, they accept VOIP numbers.
Interesting, I only have Chase credit cards as well, and they don't take any of my Twilio numbers, or at least, they accept the number but I don't actually receive SMS codes.
I've had the most success with numbers from hushed.com. Google Voice usually works but not as reliably in my experience.
Some of these ideas are really becoming a rabbit-hole for me. I like the idea of forwarding SMS to email, but then you need an email provider who will never prompt for some sort of 2fA just because you're outside the country or on an unfamiliar device, and an always-on mobile device.

The email provider who will never ask for 2FA to get in might be harder than it sounds. I've heard a story which I believed at the time, of Gmail not letting someone in without approving on an old device, even with the password and correct TOTP. Something odd like SDF could work here.

I suppose the always-on device should have no battery. I once had an HTC smartphone that would power on with the battery remove, but would sometimes crash. I think people who run postmarketOS do something to not require the battery, but soldering seems to usually be involved. USB 4G modem, old laptop with built-in 4G?

Edit: Just adding that I'm a big fan of SDF.org, so would love if that turns out to be the least messy solution!

> email provider who will never prompt for some sort of 2fA

Or just forward it to a simple webapp that you design that runs in the cloud and only requires a password to login

> I suppose the always-on device should have no battery.

That might make you vulnerable to power outages. If you are worried about Lithium batteries being at 100% for an extended period of time, Samsung tablets (and probably phones) can be set to charge to 80% and stop.

But how many times have you had your phone/ipad/laptop get stolen/mugged for/lost, or all three, and how did you recover/break back into your digital life? If you've never needed a second phone because you've never lost the first/had it stolen/been mugged for it, that recommendation may be less relevant for someone that habitually loses phones.
> how many times have you had your phone/ipad/laptop get stolen/mugged for/lost, or all three

I lost my iPhone in a taxi once. Had laptop die once. Not at the same time.

> how did you recover/break back into your digital life

Bought another phone, logged into my iCloud account with password and 2FA to my GMail account, got the code on my laptop.

For catastrophic losses like you describe you should have the MFA backup code(s) printed and stored somewhere safe. I keep them with my passport and a backup copy on a secure USB key. I avoid having all of my stuff in the same place at the same time.

I don't travel to/live in places where I have to worry about having my things stolen, or getting mugged. Can happen anywhere but some places have much higher crime rates than others.

I didn't mention MFA backup codes, but anyone using MFA at all should print those out and have a couple of copies in safe places.

0. Yubikey that I travel with

1. SSH into a fixed desktop that has a Yubikey plugged in so I can receive the TOTP codes for the idiot services that only allow registering 1 Yubikey

2. All phone-based 2FA go to a virtual number that forwards to a place that I can access remotely from any device

Yeah, not ideal, but not having access to my own shit in a foreign country is a bigger risk.

I also keep an old phone hidden deep in my luggage, not for a 2FA backup but just to have a phone to use in case my main phone is stolen or breaks.

Probably unnecessary detail because I assume it's solveable, but if you use key based auth for the SSH to the fixed desktop, how do you make sure you still have access to that key if you lose your main device/s?

(Edited to clarify the key-based auth sentence)

I have a boring imperfect solution but I don't want to post it here
Fair enough - but I hope it's port-knocking! I've never used it, and seen a lot of recommendations not to, but I love the idea.
I should probably have clarified - I don't actually use the phone as a backup for 2FA through SMS. That would probably require porting the number if something happened to the first phone, or setting up 2 seperate SMS 2FA methods on every account (where that is even possible). Also, I hate SMS 2FA.

I think of the 2nd phone as basically just a little portable computer with Bitwarden, and on which I could probably use some sort of messaging app or email while I replaced the first phone.

Yubikey is the popular answer so far. I have thought of that in the past, but never followed through on. Less versatile (can't run apps)? Certainly more portable.

It occurs to me that a lot of the solutions here are technically involved, which isn't a surprise given where I asked. But so far I haven't seen any can't-be-bothered-thinking-about-it, obvious and simple solutions.

Are the majority of people who don't like doing this stuff just not using 2FA, or just risking being locked out? All the people I know in this category are doing one of these options.

Carry a spare phone with no cell activation, no accounts and no data to hand over to police/CBP/whoever.

Some 2FA I have run into lately will email or SMS a code (WTF?)

My watch has cellular and will show messages. Is this a backup?

I've just realised that despite it seeming obvious and fairly simple, the Apple Watch doesn't have a way to see the passwords/TOTP codes from the iCloud Keychain. Maybe I do need to switch those to Bitwarden after all.