The Dark side of 2FA

Screenshot 2014-12-05 10.12.59Ok maybe Down side, is better than dark side. But there’s a suck for sure.

I’m a big proponent of 2 factor Authentication (2FA). While not the most convenient, with cyber attacks happening more and more frequently I’ll take the inconvenience over having to fight to get my bank account back, etc.

A few weeks ago I got a new iPhone. Like many it was iPhone 6-mas, and my time had come.

I picked up my phone, restored from an iCloud backup and went on with my life. Until I tried to login to my blogs (work and personal). WordPress uses google authenticator, which is nice, because many sites can use it, so you don’t need some type of app for each one (except name.com who uses another app, more later).

To my surprise you don’t simply use the app from a new phone (despite it being a complete and in my case encrypted back up of the previous device). My auth credential didn’t work. I had no idea why. I tweeted and thankfully someone pointed out having the exact same issue and mentioned being lucky their old phone was around. Mine was too, so I powered it up.

Thankfully I was able to login, delete the old credentials and establish new ones on my new phone.

The worst part is that wordpress doesn’t provide a “I don’t have my phone” type recovery option. Had I erased my phone, I’m not sure what I would have done. I lucked out. My payment processor Stripe, at least has a “Reset my pwd/credentials” option which is a nice nuclear option in this type of scenario.

Not so much with my name.com account. They choose to use some other pass key style app, which is fine. Since I don’t login often it didn’t occur to me to hop in before wiping my phone a few days ago… Of course I went to login because i got a domain expiry notice, and now I’m locked out (no option for “oops my phone is no longer tied to the right credentials”) and waiting for support to reply to my email.

I’m still pro-2FA, and I understand the underlying reasons these things work like they do, but at the same time if we want the average user to get on board, we need to have better recovery options, so that when a phone is lost, etc someone isn’t locked out of something that could be immensely vital.

3 thoughts on “The Dark side of 2FA

  1. Jeffry Houser

    My biggest point of confusion with 2-Factor Authentication is that none of my banks seem to offer it.

    It is great to have on Google and Facebook and such; but I’d love to also get it with my banks and stuff…

  2. John Wilker Post author

    Give it 10 years. I suspect banks don’t because of the non friendly nature in using it. My parents would never again have access to their accounts if they had to figure out 2fa. Terrence pointed out Authy, which I’m migrating to, it’s a much nicer approach for sure. I suspect it will suffer less of the issues I outlined above, we’ll see.

    But yeah I think 2fa is either likely to never be mainstream or it will be years and years from now.

  3. Aaron Bailey (@aaronbailey)

    This same problem forced me to switch to authy (https://www.authy.com/) which encrypts and backs up your keys to their servers. So if you ever need to wipe the phone, you can restore your authy keys and be back up and running. I’d *love* to see 1password build this into their app. So far, authy works with everything I had used Google Authenticator on.

Comments are closed.