What follows is a cautionary tale about a technology I’ve been recommending for years: two-factor authentication, or 2FA. Citizens of the Internet, hear me out! This could happen to you…
The Case of the Missing Codes
Last month, Apple offered a killer deal on iPhone trade-ins: they doubled the value of your old phone as long as you used the proceeds to buy one of their latest models. As it happened, I had two old iPhones to turn in, so I ended up getting a brand new iPhone XR for half price. Hard to beat that, especially as Apple continues to hike the prices on their phones. (I think that deal might still be in effect.)
I faithfully back up my iPhone on a regular basis (and encrypt those backups). So it was dead simple to bring my new phone home and restore it from one of these backups. In short order, my new iPhone’s contents looked exactly like my old iPhone’s contents… with one glaring omission. Google Authenticator was missing all but a handful of my two-factor authentication codes. I probably had 20 accounts registered in that app, but for some reason, the restore process only restored about 5 of them. Gulp.
Now, I knew that getting a new phone would require transferring these accounts. But I had counted on the iPhone restore process to fully restore all of the Google Authenticator entries. I counted wrong.
Doing the Two-Step
Just to recap, two-factor authentication adds a second requirement for logging in to an online account. In particular, it requires something you have (phone) in addition to something you know (password). You register your phone with each account by scanning a QR code, which causes the authenticator app to generate unique, rolling, single-use PIN codes. This adds a second type of lock to your accounts. Even if a hacker were to guess your password, they would need your phone to get the second key.
Entering this code every single time you sign in would be cumbersome. Most sites allow you to “trust this device” for future sign-ins. The idea being that bad guys aren’t likely to be hacking your accounts from your own computer or smartphone. (If they have access to those, you’ve got much bigger problems.)
So I was now in a race to access the missing accounts from an existing computer on a familiar network. I needed to be able to log in and disable two-factor authentication so that I could then re-enable it using the new device. Adding to the task, I had to actually remember all the missing accounts.
Some online accounts actually provide you with recovery codes when you sign up for 2FA. These codes can be used in precisely this situation. If you’re offered these codes, you should print them out and put them somewhere safe. (Don’t put them in LastPass or store them on your computer.) I had done this for the couple accounts that allowed it, so that helped.
Similarly, when presented with the QR code to sync your authenticator app with the online account, you could actually print off the QR code. If you lose your phone, you could use that code to re-sync the app on your new phone. (I actually did this for several of my accounts, which helped save my butt.)
The Better Solution: Authy
I’ve been recommending Google Authenticator for years and it has served me well till last month. But after the failed restoration of several accounts and lack of secure backup built into the app, I now wholeheartedly recommend Authy. While Authy’s interface is arguably prettier, the killer feature is secure cloud backup. As a consequence, you can also install Authy on multiple devices and have your codes synced.
NOTE: Authy can be used basically anywhere Google Authenticator can be used (sometimes sites explicitly call for Google Authenticator by name, but it’s sort of like Kleenex being another name for facial tissue.)
Now if you’re already using Google Authenticator, you’ll want to transfer your codes to Authy. For most people, this means you will have to disable 2FA on each account and re-enable it using Authy. (If you happened to have printed out the QR codes when you set up 2FA the first time, you can use those to set up Authy.)
Note that LastPass (which I also highly recommend) has an authenticator app, as well. Even though this app is separate from the password manager and offers cloud backup, I feel slightly better keeping my passwords totally separate from my two-factor authentication codes.
If Google Authenticator ever offers cloud backup (and I would think they would have to), I will stick with Authy, I’m on a mission to de-Google my life and you should probably do that, too.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!