Phones, 2FA, and holiday disaster.

Soldato
Joined
1 Apr 2014
Posts
19,180
Location
Aberdeen
Just wondering here. I hope people here are using Two Factor Authentication for most things, so how would you cope if you lost your devices when you were on holiday? Presumably you do not take your backup codes with you (they might disappear too). Sure you can buy a new phone but when you come to set yourself up you hit the problem of 2FA. Send the code to your email? Your email is protected by 2FA keyed to your phone. And round you go.

Something similar might arise if your house burns down and you don't have an offsite backup.

Oops! So, what did you do?
 
You should have off-site backups, if you don't then do it.

With regards to backup codes, arguably not ideal but store them, or the most important, in a number of locations where they can easily (by you) be retrieved in the case of an emergency.
 
Use a 2FA that can backup the codes, then save the backup somewhere.

I've seen Aegis being recommended more often these days, but I'm personally using Authy since it has multi-device support, so I can bring up the codes on PC as well.
 
Very recently i had this exact problem as i lost my phone in France. Lots of issues not least being my Covid passes were on the phone which caused a lot of problems leaving France and entering the UK

The 2FA was not a problem with Google as I gained access via my laptop and you can log in and mark a device as lost and then remotely wipe and lock it. I had 2FA set up on my work accounts plus all banking but as soon as i got a replacement SIM from 02 it was easy to gain access to most things.

I use Google Authenticator app for access to works apps like Xero and Microsoft 365 and this was the bit that was the most awkward as i could not gain access to the 6 digit codes as i hadnt created a account. So if you use I would defintely create an account so if you do lose a phone you can just simply log in to the authenticator app.

It was a pain but as long as you get a replacement SIM for your number you should be able to get back into most stuff.
 
i have a family members numbers setup as extra verified numbers. If I had to access an account with 2fa i would have the code texted to their number and get them to tell me, that’s how I do it at least.
 
This happened to me with my 15+ year gmail account. Couldn't recover as it was using an old pay as you go number which I stupidly didn't update. Not something you think about really.. lost phone when on holiday and it's been impossible to recover since. Google will not help and won't accept any form of I.D, driving licence/passport etc as these can be easily forged :rolleyes:
Safe to say I was extremely ****** off.
All water under the bridge now though. 2FA has it perks but also has its downsides. Companies are way too security conscious now.
 
Yeah, I use Authy as it stores in the cloud, so moving from device to device is easy. Didn't realise there was a Windows app though, thanks.

I also have a Yubikey for my Google account, on my keyring and another (Google version of a Yubikey) in my safe.
 
Which you'll have backup codes for in the event you can't do text/talk MFA :)

Do you take your backup codes on holiday with you? And how do you protect them?

Not really an issue at home, if I lost my phone or it got stolen etc, then I've got recovery codes at home/Authy running on another device. But it's a big issue if somewhere abroad for example where I'd have access to neither.
 
Do you take your backup codes on holiday with you? And how do you protect them?
No, they're secured offline but obtainable with phone calls if i'm in a pickle and need access to them - no they're not written down on the back of a napkin in a drawer somewhere :p

I imagine most people store MFA codes within their password managers or on a single platform, so in reality you only really need to store/remember backup code(s) to those services.

Edit - A hardware key, YubiKey etc, could also be another solution to this.
 
No, they're secured offline but obtainable with phone calls if i'm in a pickle and need access to them - no they're not written down on the back of a napkin in a drawer somewhere :p

I imagine most people store MFA codes within their password managers or on a single platform, so in reality you only really need to store/remember backup code(s) to those services.

Edit - A hardware key, YubiKey etc, could also be another solution to this.

So still reliant on the person looking after your backup codes to be around/reachable at the time you need your code. Also relying on them to have kept them safe.

Not criticising your strategy, it's making me think about one myself. My concern is first not knowing contact details of my family member/trusted friend off by heart to get ahold of them. Then having them reachable. And finally having safely stored the backup code somewhere. - as I know giving this to a family member and not needing it for say 5 years that it might well have been lost.
 
So still reliant on the person looking after your backup codes to be around/reachable at the time you need your code. Also relying on them to have kept them safe.
My solution isn't fall proof by any means* but you can mitigate some of those issues in the same way everyone stores their encrypted backups securely in multiple locations.

* Updating codes is a royal pain in the bum.

My concern is first not knowing contact details of my family member/trusted friend off by heart to get ahold of them.
This might be a none-starter :cry:

In practice, just force yourself to dial that contacts' number(s) instead of relying on your contact list/phonebook and it'll eventually sink in :)
 
In case of emergency I can log into an app (not on a phone) and get my codes that way.

There is a master password that only I know. :) If I forget that, then it's game over I wouldn't be able to log in to anything if I lost my phone.

How do you get pass the 2FA of the app to get your codes when you don't have access to an already authenticated device, or backup codes?
 
Back
Top Bottom