Ask HN: Do you carry an old phone when travelling as a 2FA backup?
After reading another HN comment, I'm wondering what people have as a back-up for 2FA when going on holiday.
Now that it's often allowed, I usually have an old phone stashed in my check-in bag. Is that common practice? Is there something simpler I'm not thinking of?
21 comments
[ 8.4 ms ] story [ 80.0 ms ] threadYou don’t necessarily need a second phone. You may need a second phone number in your home country that you can get calls and SMS anywhere. VOIP services such as Google Voice, Hushed, Skype work, but test first because some banks etc. won’t accept VOIP numbers.
I have travelled full-time for over 12 years. I carry one phone, an iPad, have three email accounts, two US numbers (Google Voice and Hushed), a local number wherever I stay (e-SIM), a Yubikey and backup key. Have never needed a second phone.
Use a VOIP number in the UK, they usually can't tell.
If you want a bulletproof solution for a US number though, spend $10/month for an additional SIM card and bona fide mobile number that goes to an separate, eternally stationary mobile device in your home country that forwards SMS to your e-mail or some other UI you can access from a public internet terminal, in case your phone is stolen, bricked, or held hostage.
All of my US banks and credit cards accept VOIP numbers now. A few did not when I first started traveling.
Chase, for one, does not.
The email provider who will never ask for 2FA to get in might be harder than it sounds. I've heard a story which I believed at the time, of Gmail not letting someone in without approving on an old device, even with the password and correct TOTP. Something odd like SDF could work here.
I suppose the always-on device should have no battery. I once had an HTC smartphone that would power on with the battery remove, but would sometimes crash. I think people who run postmarketOS do something to not require the battery, but soldering seems to usually be involved. USB 4G modem, old laptop with built-in 4G?
Edit: Just adding that I'm a big fan of SDF.org, so would love if that turns out to be the least messy solution!
Or just forward it to a simple webapp that you design that runs in the cloud and only requires a password to login
> I suppose the always-on device should have no battery.
That might make you vulnerable to power outages. If you are worried about Lithium batteries being at 100% for an extended period of time, Samsung tablets (and probably phones) can be set to charge to 80% and stop.
I lost my iPhone in a taxi once. Had laptop die once. Not at the same time.
> how did you recover/break back into your digital life
Bought another phone, logged into my iCloud account with password and 2FA to my GMail account, got the code on my laptop.
For catastrophic losses like you describe you should have the MFA backup code(s) printed and stored somewhere safe. I keep them with my passport and a backup copy on a secure USB key. I avoid having all of my stuff in the same place at the same time.
I don't travel to/live in places where I have to worry about having my things stolen, or getting mugged. Can happen anywhere but some places have much higher crime rates than others.
I didn't mention MFA backup codes, but anyone using MFA at all should print those out and have a couple of copies in safe places.
1. SSH into a fixed desktop that has a Yubikey plugged in so I can receive the TOTP codes for the idiot services that only allow registering 1 Yubikey
2. All phone-based 2FA go to a virtual number that forwards to a place that I can access remotely from any device
Yeah, not ideal, but not having access to my own shit in a foreign country is a bigger risk.
I also keep an old phone hidden deep in my luggage, not for a 2FA backup but just to have a phone to use in case my main phone is stolen or breaks.
(Edited to clarify the key-based auth sentence)
I think of the 2nd phone as basically just a little portable computer with Bitwarden, and on which I could probably use some sort of messaging app or email while I replaced the first phone.
Yubikey is the popular answer so far. I have thought of that in the past, but never followed through on. Less versatile (can't run apps)? Certainly more portable.
Are the majority of people who don't like doing this stuff just not using 2FA, or just risking being locked out? All the people I know in this category are doing one of these options.
Some 2FA I have run into lately will email or SMS a code (WTF?)
My watch has cellular and will show messages. Is this a backup?