Preventing 2FA Crises

Preventing 2FA Crises
Photo by Bastian Pudill / Unsplash

So...you've heard about using two/multi factor authentication (or 2FA/MFA), and hopefully you've already started using it...😅

A recent podcast episode I listed to detailed the painful process of what could happen if you lose your 2FA codes, and I hope to address how to prevent this even if you don't have SMS/calls to authenticate to the 2FA service I'm mentioning (their typical verification process).

NOTE: this is my opinion on how to balance security and redundancy, please comment if you know of better ways. (I'd love to hear about it)

Overview

So, the app that I currently recommend (as of 2022-11-11) is Authy. I'm not getting sponsored to mention them, it's just been my (and others that I know) go to app for years now.  The main reason for that is because it allows you to backup your 2FA codes and while doing that allows you to synchronize those codes across multiple devices.  These 2 features along with having multiple passwords (1 to decrypt your backuped up codes & 2 to authenticate to the app locally) are some of the amazing features of the app.

Preventing lockout (Backup)

I'm not going to detail out how to get started with authy, I'll leave that to their documentation (wayback machine link). I will say though, once you've downloaded the authy app and created an account, the first thing you should do is turn on account backups/sync.  This allows any 2FA codes you add to be synced to their servers and gives you a backup to restore from on any device.

NOTE: make sure this is a STRONG password...if your account gets compromised, it'll be the only thing standing between an attacker and all your 2FA codes!

I personally recommend generating a random password and then storing that either in a password manager (Bitwarden, Lastpass, Keepass (if you want it local)). Typically if you're locked out of your 2FA code you'll still be logged into one of your cloud based password managers (at least for a little while), but if you don't want to run into an issue with being locked out of those too then you can store the password in a keepass file and keep that backed up somewhere.

Preventing lockout from Authy

Now that you have your accounts backed up...what happens if you want to go sign into your Authy account on a new device...it wants to authenticate you...typically via SMS. So, if you don't have any SMS then you'll be locked out of your Authy account (this is painful and I've experienced this second hand by a loved one 😢). The next step is to prevent yourself from getting locked out of Authy 😅

So, the only alternative method that you can do to prevent this, and to allow yourself to login again when not having SMS access to your phone number, is to enable multiple device access.  While in theory this does technically allow a wider attack surface, like I mentioned I'm trying to balance security with redundancy.  Once you've fully authenticated from another device. Then you can send a push notification to that device from the device you're trying to login with instead of authenticating via SMS/calling (more info here).

This is why after you've setup the backup password and enabled multiple devices I'd recommend having at least 2-3 devices you're fully logged into for Authy. As my father always says:

2 is 1...1 is none

(⬆ - referring to having backups)

Conclusion

So, while this process probably isn't the most secure, IMO I think this gets you the most security with redundancy that's currently possible.

Bonus

Exhausting recovery codes

During the podcast episode one of the hosts had mentioned how they'd almost exhausted their codes. They'd mentioned that if you do exhaust all your backup codes that you can't get back into your account.

One of the ways to help prevent this (from my experience) is to temporarily disable 2FA on your account, and then re-enable it. Whenever I've done this in the past vendors typically give me a whole new set of recovery codes, which should help prevent exhausting recovery codes.

Bitwarden Authenticator (TOTP storage)

While Bitwarden's Time-based One Time Password (TOTP) storage is very conveinient (and I won't confirm or deny if I use it as well 😅), it does technically fail to provide a second factor of authentication. If some malicious individual gains access to your Bitwarden account, and all your TOTP codes are stored in your Bitwarden account...then they have access to everything. Compared to if you just use Bitwarden for password and another application for your TOTP codes (i.e. Authy), then that is a second factor of authentication.

It always comes down to your balance of security vs convenience. If you won't use TOTP without Bitwarden's TOTP storage than I'd personally rather you use it than not at all. 😅