The Dark side of 2FA
Ok maybe Down side, is better than dark side. But there’s a suck for sure.
I’m a big proponent of 2 factor Authentication (2FA). While not the most convenient, with cyber attacks happening more and more frequently I’ll take the inconvenience over having to fight to get my bank account back, etc.
A few weeks ago I got a new iPhone. Like many it was iPhone 6-mas, and my time had come.
I picked up my phone, restored from an iCloud backup and went on with my life. Until I tried to login to my blogs (work and personal). WordPress uses google authenticator, which is nice, because many sites can use it, so you don’t need some type of app for each one (except name.com who uses another app, more later).
To my surprise you don’t simply use the app from a new phone (despite it being a complete and in my case encrypted back up of the previous device). My auth credential didn’t work. I had no idea why. I tweeted and thankfully someone pointed out having the exact same issue and mentioned being lucky their old phone was around. Mine was too, so I powered it up.
Thankfully I was able to login, delete the old credentials and establish new ones on my new phone.
The worst part is that wordpress doesn’t provide a “I don’t have my phone” type recovery option. Had I erased my phone, I’m not sure what I would have done. I lucked out. My payment processor Stripe, at least has a “Reset my pwd/credentials” option which is a nice nuclear option in this type of scenario.
Not so much with my name.com account. They choose to use some other pass key style app, which is fine. Since I don’t login often it didn’t occur to me to hop in before wiping my phone a few days ago… Of course I went to login because i got a domain expiry notice, and now I’m locked out (no option for “oops my phone is no longer tied to the right credentials”) and waiting for support to reply to my email.
I’m still pro-2FA, and I understand the underlying reasons these things work like they do, but at the same time if we want the average user to get on board, we need to have better recovery options, so that when a phone is lost, etc someone isn’t locked out of something that could be immensely vital.