Wednesday, 24 April 2024

So You’re Locked Out of Your Two-Factor Authentication App. Don’t Panic.


Published 
Illustration of a person with a worried face holding a locked cellphone.
Illustration: Yann Bastard
Max Eddy

By Max Eddy for Wirecutter

Max Eddy is a writer who has covered privacy and security—including password managers, VPNs, security keys, and more—for over a decade.

It’s a nightmare scenario: You’ve protected all of your online accounts with two-factor authentication, just as we recommend, but then your phone is broken, lost, or stolen, and you’re locked out of everything. Past You’s effort to protect Future You has made Present You’s life a living hell.

Two-factor authentication (2FA) is supposed to keep attackers and scammers out of your online accounts, but what if something happens to your second factor? With a little planning, you can reduce that risk and still keep your accounts safe. Here we show you how, and we tell you what to do if you’ve already lost access to your account.

When you protect an account with two-factor authentication, the first factor is your password. The second is another factor that can verify your identity, such as:

  • something you know, like a password
  • something unique to you, like a fingerprint
  • something you have, like a hardware security key

Even if an attacker has your password, 2FA will protect your account because it’s less likely they’ll have the second factor needed to log in. This is especially important after years of data breaches have made it easier than ever to obtain log-in information. “Passwords are a tradeable commodity at this point,” said Iva Blazina Vukelja, vice president of product management at Duo, the company behind the Duo Mobile authenticator app. “[If] your account is protected by a password, it’s not really protected.”

Our pick

Duo Mobile is well designed and easy to use, and it can securely back up your information.

There are several ways to add a second factor to an account, and the most accessible option is using an authenticator app. Every 30 seconds, these apps generate unique codes that you enter, along with your password, when you log in. Security keys—dedicated physical devices that serve as an authenticator—are less widely supported, but they’re the most secure 2FA option. Some services send SMS codes to your phone, but we don’t recommend opting into that if you can choose another option, since attackers can intercept those messages.

A new technology, passkeys seek to replace passwords with digital credentials that have built-in 2FA. Passkeys grant access to online accounts the same way your password does, but they are stored on your device, locked behind a pin or biometric authorization (such as a fingerprint or facial recognition). Although passkeys aren’t yet widely supported, Apple, Google, and Microsoft are betting that they’ll be the future of authentication, and so they have added passkey support to their browsers and operating systems.

Protecting your accounts with 2FA is a good idea, but things can go awry. What happens if your phone dies and your authenticator app can’t generate codes? What if you lose your security key? Or what if your phone is stolen altogether? You won’t be able to access your accounts unless you find another way to log in—or use a site’s recovery tools. Planning ahead is the best way to ensure you don’t end up locked out of 2FA. “Just like any other situation in life, this is an ounce of prevention that’s worth a pound of cure,” said Derek Hanson, security-key-maker Yubico’s vice president of solutions architecture and alliances.

Every site and service takes a different approach to 2FA, with different backup options. Below we list the most common backup options. And we recommend that you set up one of these on your phone now to avoid headaches in the future.

Use backup codes whenever possible. Backup codes are a string of numbers and sometimes letters that you enter in order to regain control of your account. Most sites and services will give you the opportunity to generate backup codes when you enroll in 2FA, and the best sites actually require it.

Not every site uses backup codes the same way, however. Some backup codes are intended to be used in place of codes generated by authenticator apps. Other sites, like X (Twitter) and Google, have a dedicated interface for entering backup codes. When you log in to X, you’ll be given the option to use a second factor or enter a backup code. On Google, you have to click the “try another way” option when you’re logging in. And Apple offers a recovery key option to regain control of your Apple ID.

Apple also supports setting a trusted individual as a recovery contact. Once your trusted contact is enrolled, their iPhone can generate a six-digit backup code that should let you log in, even if you’re locked out of your Apple ID.

Backup codes are a great way to regain control of your account, but you need to store them securely. If you enter them into a password manager, make sure that your password manager is well secured with a long, complex, unique password and 2FA. If storing backup codes in a password manager feels like too much of a risk, you can also print them out or write them down at home. Duo’s Vukelja told us she keeps hers in a personal safe.

Use an authenticator app with a recovery function. Some 2FA authenticator apps let you back up the sites you entered into them; this allows you to restore your authenticator access on a new device, if your phone is no longer accessible or you’ve deleted the app. Each authenticator app handles backups a little differently. Our top pick, Duo Mobile, stores its backup in iCloud or Google Drive, depending on your platform, and it secures its backup with a special password you need to retrieve it. Google Authenticator, meanwhile, is attached to your Google Account and can sync accounts across devices.

Backing up an authenticator app comes with some security concerns. After all, you wouldn’t want an attacker stealing your backup to enter authentication codes. Make sure you’re using a service you trust and that the backup is encrypted, so only you can access it. If your backup is tied to another account, like Google Authenticator, make sure that account is secured with 2FA, with recovery options that will work without the authenticator app. A security key, passkey, or Google’s push notification verification are good choices.

Get a backup physical security key. Security keys are perhaps the most secure method for doing 2FA. But if you lose your key, it’s no good to you. Experts we’ve spoken with in the past recommend getting two keys and enrolling both, with one acting as a backup. Some security keys, like our top pick, the Yubico Security Key C NFC, are quite affordable (though less so when you need two of them).

Embrace redundancy, and use multiple 2FA options. Mixing different 2FA options for the same account means you’ll have more than one way to log in. Google, for example, supports security keys, authenticator apps, push notifications sent to a trusted device, and codes sent via voice call or text messages—though we recommend against using codes sent via voice or SMS.

The experts we spoke with cautioned that if you do turn on multiple MFA options, it creates more opportunities for an attacker. Be vigilant against phishing attempts, and try to use options that can’t be phished, like passkeys and security keys, if you can.

Use passkeys. Unlike other 2FA systems, passkeys can be synced between devices, making them easily accessible. You can also create multiple passkeys for a single account, giving you infinite spares. And a device with a passkey can be used to authenticate logging in on a device that doesn’t have a passkey. Hanson explained that they can make it much easier to recover, since “every device I carry—whether it’s my [security key], my phone, or my laptops—all of them potentially have the keys to my account.”

Having passkeys that sync between devices does mean that someone with those devices could access your passkeys. However, an attacker would also need your biometrics or PIN in order to use them, which greatly reduces that risk.

Although AppleGoogle, and Microsoft support passkeys, there are still limitations. Passkey syncing is currently limited by platform—Apple to Apple and Google to Google—and only a fraction of sites and services currently support passkeys.

Being locked out of your account is frightening, and it can feel like you have to fix it, right now. Resist this urge. Instead, take time to evaluate your situation and what tools you have available. “Your best bet is to gather all the resources that you have and hope that you’re actually not locked out,” Hanson said.

See if you’re still logged in to the locked account on a device. Start with phones and tablets, since these devices tend to stay logged in to apps and services for long periods. Then expand your search to laptops and desktops. And then expand it to older devices that you may have tucked away in a closet or a drawer.

If you find that you’re still logged in on a device, you may be able to remove the 2FA option you can no longer access or add a new one that you can. Keep in mind that making changes to your security settings will definitely require reauthorization—probably a password at minimum. So if you’ve also lost your password, you may be out of luck.

Some services that offer “family plans” allow other members to make changes to the plan or even re-authenticate people. If you’re locked out of a family plan, check with those people as well.

Check backups and alternative 2FA options. Once you’ve exhausted the devices and people that may be able to help, take a look at the options available for the specific type of 2FA that’s locked you out. If you can no longer access the codes in your authenticator app, check to see whether the app provides backup and restoration. If you’ve lost your security key, check to see whether you’ve got a backup key enrolled (you probably should). And then look to see what other MFA options are available and if you’ve enabled them.

Google and Apple accounts can use trusted devices to authenticate your accounts. When you’re logging in with your Apple ID, Apple may send a verification message to other devices where you’re already logged in, or the device itself can generate a code. Similarly, Google has the option to send push notifications to devices where you’re logged in with your Google account that will authorize a new login. If you’re locked out of one of these accounts, check your old devices. They may still be enrolled and might be able to authorize a new login.

When all else fails, use account-recovery tools. Once you’ve exhausted all of your options, it’s probably time to begin the account-recovery process. Each site handles this differently, so take a moment to read the support documentation about the process. For example, Apple’s documentation and Google’s documentation show very different steps. Depending on the site, this may take just a few minutes or much longer.

If you have to start working through the account-recovery process, be on guard for phishing attempts. Scammers know that desperation and urgency work to their advantage, so stick to the recovery mechanisms provided directly by the sites you have accounts with. If you contact customer service, be sure you do so using the tools provided by the site—such as a contact form or live chat.

Yubico’s Hanson told us three important things that you can do to be safer online, as well as to head off potential 2FA pitfalls.

Secure your most important devices and connected accounts. Many 2FA and account-recovery systems rely on having access to a trusted mobile device. So keeping your iPhone or Android safe also helps to protect all of your other accounts. To guard against attacks and theft, most modern phones have built-in protections that are tied to accounts registered with the manufacturer. Take the time to set up 2FA for these accounts (Apple ID and Google Account), and familiarize yourself with the available tools to track and secure lost devices (Find My for Apple and Find My Device for Google). If you have a Windows PC, be sure to do the same with your Microsoft account. Apple has also rolled out new security features, to prevent iPhone thieves from hijacking your Apple ID.

Secure your primary email accounts with 2FA and recovery options. Many sites and services use email sent to a trusted address as part of their recovery process, so you’ll want to make sure these accounts are secured with a strong password, 2FA, and a recovery or backup option of some kind.

Call your wireless carrier, and set a PIN to protect your phone’s plan. This will prevent attackers from porting your number, or “SIM jacking,” in order to intercept authentication codes sent via voice call or SMS message. We don’t recommend using either of these methods for 2FA, but many sites and services will default to phone contact as a means of authentication or account recovery.

Don’t let the risk of lockout scare you: 2FA is worth it. If an attacker is able to take over your account because you didn’t use 2FA, you’ll also be locked out and have no control over what the attacker does with that account. Along with using a password manager and new technology like passkeys, 2FA is the best way to keep your accounts secure and under your control. Just plan ahead—you never know when your phone will go missing.

This article was edited by Arthur Gies and Caitlin McGarry.

  1. Iva Blazina Vukelja, vice president of product management at Duo, video interview

  2. Derek Hanson, vice president of solutions architecture and alliances at Yubico, video interview

Meet your guide

Max Eddy

Max Eddy is a senior staff writer at Wirecutter specializing in security and privacy. He was previously lead security analyst at PC Magazine.

No comments:

Post a Comment

In the Land of the Very Old

Jan 23, 2024 — by Sam Toperoff in  Original  for THE SUNDAY LONG READ 1. Passports, or Prescriptions I am writing this in a blue notebook I ...