Keep track of your second factors for logging in securely

Two-factor authentication is all the rage, but you can wind up losing a factor and being locked out. Here's how to manage that.

If you read this column at all, you know I’m a big fan of two-factor authentication (2FA), a password-plus-a-thing method of reducing the risk of other people and malevolent parties gaining access to your accounts remotely. But a concern related to deploying a second factor on accounts that allow it? Losing it!

In a recent conversation with tech-savvy colleagues, I found that a surprising number were concerned that enabling a second factor could leave them vulnerable to a system crash or a broken or lost phone that contains a necessary token or secret. Without that, they worried about being permanently locked out of their stuff. This is totally reasonable, and you can create a plan when you start using two-factor logins to prevent this from happening.

As a quick reminder, two-factor systems almost always pair a password with something else that you keep in proximity: a device that receives a code, or an app that generates a code, or even a biometric device like a fingerprint reader. The second code or physical detail reduces the opportunity for someone to obtain your password and then gain full access to an account. Some systems are more accurately two step, as a two-factor system shouldn’t require an element that isn’t also stored or otherwise connected with password entry.

(If you’re using a two-factor device, like a keyfob- or access-card style code-generator, or an RFID-based reader, there’s usually a different process for regaining access because of the physical component.)

Back up to get started

Systems that use the Google Authenticator approach of seeding what’s called a “Time-based One-Time Password” (TOTP) offer a QR code when you enable this form of supplementary protection that you can scan with your phone or tablet. Some also provide a text-based equivalent.

private i google 2fa options

Google lets you set a lot of parameters around a second factor, and change your mind once you have.

These seed codes are used as the basis on both the account system you’re using and in your own authentication app to generate the TOTP. But you can also capture them and store them securely so that if you lose access to a device containing the app or it crashes irrecoverably, you can reseed an authenticator with that same seed code. You can screen capture or take a picture of the QR code or copy the text. (To decode the QR code into text when it’s not included, you can use a reader like Quick Scan for iOS.)

You can also use apps that back up and synchronize your codes, though there are good reasons to consider whether it’s wise. Authy is a simple multi-platform system compatible with Google-style TOTPs that optionally allows synchronization. The basic apps and functionality are free. AgileBits’ 1Password added TOTP support in early in 2015, and like other items in the program, they can be synced among devices.

private i authy

Keeping electronic copies of the seeding code or syncing it introduces risk, but the key advantage of TOTPs is that a single password is no longer your only line of defense. (AgileBits explained this well in announcing TOTP support.) Because Authy and 1Password don’t store your information in a way they can decrypt, with a strong password (and optional use of Touch ID) the TOTPs are locked away with a high degree of security. If you store screen captures or photos or codes or the underlying text, make sure you use a similar encryption process to prevent access.

Setting a path to recovery

Authy reads TOTPs and optionally syncs them across devices and platforms.

Every site with any kind of two-step or two-factor system offers a way out when you can’t get back in. It can vary quite a bit. The most popular include the following:

Backup codes. Google and other sites create a list of static one-time use codes that will provide access, but (as their name describes) can’t be used again. These can also be good to use when you’re away from a trusted computer, because they’re fully disconnected from app-generated TOTPs, and can’t even be used again with the typical one-minute-maximum timeout for TOTPs. Many sites recommend printing out these static codes and carrying them with you for critical accounts. You could store them in an encrypted form on a local device, but that adds risk unless the password is strong and unique from anything you use online. The key constraint is to ensure that someone who could grab your password remotely couldn’t also gain access to these one-time use codes.

Alternative email. Some sites will let you recover access by emailing to an account, which might be your main email already associated with the site, or might be required to be a separate address. This ostensibly reduces the odds that a single point of failure on the same path allows a third party to gain access to your 2FA-protected account.

Recovery Code. Apple’s two-step verification system, which is being phased out in favor of its iOS 9/El Capitan 2FA approach, issues a unique code when you register to use it. That code is the only option for recovery in the event your account is locked due to security concerns, or if you lose access to all your trusted devices and associated phone numbers. (With Apple’s 2FA, which is still technically two-step in nature, Apple has a human-involved recovery process you start in the unlikely event you’ve lost everything.)

Many sites use SMS to send one-time use codes, making it vastly less likely you’ll lose full access to that “factor”—your phone number. In most countries, a cell carrier controls access to a number that can receive text messages, and a lost or stolen phone is an inconvenience that requires getting that unit disabled, and having the phone number activated on another. My wife and I add each other’s phones where possible as additional backups.

In some relatively rare cases, you might lose control of an account, and when you want to get that number restored, a carrier might be unconvinced that you’re the legitimate owner. More commonly, if you’re using an alternate SMS system, such as I described in a column in October, you might lose access to the number and have no recourse to obtain it.

So when setting up any SMS-based factor, make sure there’s still another way out if the phone number in question were to become inaccessible to you forever.

One step after another

With Amazon adding 2FA support for regular consumer accounts, and Apple emphasizing availability during iCloud account setup, a lot more people will be using 2FA in the future. If you had concerns, I hope these help alleviate them, and you can use this information to assuage others’ fears, too.

Subscribe to the Best of Macworld Newsletter