Switch to HTTPS

Switch to HTTPS: https://t7j7l.blogspot.com/

Saturday, 30 January 2016

Finding my 2-factor authentication backup/recovery codes


Although I'm not as paranoid as before, security is still very important in our lives. That include 2-factor authentication (2FA), which basically uses your phone to generate a second "password" code whenever you (or someone else) logs in with a new/unknown device. This code usually appears on an app that refreshes every 30 seconds (software key), or is sent to your phone via SMS.

Don't worry too much about inconvenience, you can always remember your device or app's access to Google, Facebook, or whatever. The main problem would be (legacy) apps that doesn't support 2FA, those require you to go into your account and setup an "app password" (which is just a longer auto-generated password that replaces your normal password).

Currently I have 8 accounts setup the first way (software key) using Authenticator Plus. They include Google, Microsoft, LastPass, Facebook, Amazon, Dropbox, Wilders Security Forums, and TurboTax. I chose that app specifically because it has the most features, which includs showing the codes on your Android Wear smartwatch! There are even more accounts setup via 2FA text message or separate apps, such as Apple, Yahoo, LinkedIn, Box, PayPal, and Steam.

So the story was that I had a text document of all my backup/recovery codes, which allows you to bypass 2FA when you lose your phone, encrypted in a 7z archive. After some time passed, I couldn't remember the password to that archive anymore! Of course I chose good security settings, so those "cracking" tools never worked. So here I am today, trying to get all the codes back.

From my experience, only around half the sites support a backup or recovery key. Fortunately there are other ways to recover your account, but I'd like to see this option just in case. The offenders are: Amazon, Box, PayPal, LastPass, LinkedIn, TurboTax, and Yahoo. As for the ones who do support it, sometimes you have to look deep into account settings or even Google search. I will list them anyhow, feel free to ask any questions if you're having trouble retrieving your own codes: Apple, Dropbox, Facebook, Google, Microsoft, Steam, and Wilders Security Forums.

Of course, there are exceptions to pretty much everything. I noticed that eBay claims to use a Security Key like PayPal, but it never prompted me for a code when I sign in from say incognito mode (private browsing). And it seems Launchpad and Norton supports it as well, but I haven't bothered enabling those due to low security risk and usage of their services.

In the end, two factor authentication is a worthwhile security feature that will definitely help prevent others from (maliciously) accessing your accounts. Unfortunately, it also means you can lose that account easier, but isn't that what this post is about (sort of)? Although I could provide more details about how to find those recovery codes, that'll make this article too long and tedious (once again feel free to ask!). So therefore, I'll just end it here and wish you guys an enjoyable day as always.

No comments:

Post a Comment