For some time I have been using 2FA as much as possible, to secure various logins and accounts.
The app I have been using for it is Google Authenticator on Android. This was because the first time I used 2FA was on starting a new job, and it was what the company was using for OpenVPN and Xero. It all seemed simple enough – when setting up an account on a site it showed me a QR code and I scanned it with the phone. Then to login I would just type in the number currently shown in the phone app for that site.
All worked fine for a couple of years until a hardware fault completely bricked my phone. Without ever checking, I had assumed that Google had backed up the codes it needed and I could just log into my Google account and have them loaded into the app on my new phone. Turns out that that is not the case, and there is no way of backing up Google Authenticator at all. On getting a new phone you can transfer codes across, but that’s all. If you don’t have old phone, that obviously can’t be done.
How can this be? It seems GA was originally designed to be used in a corporate environment, where all the keys are generated within the company and the codes can be loaded up onto a new phone by the sysadmin. For external sites, you are supposed to keep track of the recovery codes yourself. Some sites make a big point of getting you copy them down. Github, for example, exhorts you to copy a whole set of recovery codes, so that you can always use one of those to set 2FA back up on it. Some sites just tell you to copy one particular string, which it turns out is the code stored within the QR code, and usually displayed with it. Most sites don’t tell you that you need to back that code up in case your phone becomes unavailable. A few sites, Coinbase being an obvious offender, don’t even show you that code at all – all you see is the QR code.
So for a few sites, like Github, MyGet etc I was able to get straight back in, because I had the necessary codes backed up. Others, such as Coinbase, Paypal and Okex, involved a lot of work. Interesting that sites for software developers understood the problem and made sure I had a way of getting back in, but financial ones, on the whole, didn’t.
The first site I went to put 2FA back up on was Github. That was where I found some useful advice. Their 2FA setup page pointed out the problems with GA not keeping backups, and instead suggested it was a good idea to use Authy, 1Password or LastPass, as all of these could be set to keep highly encrypted cloud backups of the codes initially entered. My first reaction was “Is it a good idea to have that in the cloud?”, but then I realised it was fine, because anyone who managed to get the backup and decrypt it (very, very hard to do) would still need my (highly encrypted) password data to do anything with it.
I had a look at Authy, just because it was first on the list, and decided to go with it. I’d already looked at the others as possible password managers, but I’ve had a different password manager (SplashID) for so long that it’s too much work to transfer. Authy suited me because it does just the one job, and does mean that my password and 2FA backups are totally separate.
As well as doing 2FA using a phone the same as GA, Authy also has a little desktop app that means I don’t actually need to go to the phone to use it, and can just paste the code straight in when I need it. I’m not totally convinced that’s a great idea from a high security point of view, but it is very convenient. One thing I found is that the desktop app doesn’t add new codes properly and they don’t synch across to the phone reliably, so I always do the maintenance on the phone.
TL;DR Don’t use Google Authenticator, use Authy, 1Password or LastPass instead so you don’t get locked out if your phone gets bricked or lost.