Have a two-factor authentication backup plan and sleep better tonight

Two-factor authentication is great security when it works. Here's what to do when it doesn't

authenticate-600x450_0.jpgImage credit: flickr/Kai Hendry
Don't let this happen to you

I got up last Wednesday morning, sat down at my computer and, before the coffee could kick in, was jolted awake by a post on Hacker News: an update to Google Authenticator (GA) on iOS had just been released which, apparently, broke the app. Translation: those of us who rely on GA to provide the second form of two-factor authentication (2FA) for vital web sites, and who had updated the app, could be locked out of those sites. As one who uses GA for some key sites such as Google and LastPass, this news triggered a Fred Sanford-ish Elizabeth-I’m-Coming-to-Join-You-Honey moment for me.

Luckily, I hadn’t installed the update, and, by that time, Google had already pulled the app from the app store. Unfortunately, though, a number of people did install the broken update, including some who are using a beta version of iOS 7, which auto-updates apps by default. Google has since released an updated version of Authenticator, that doesn’t include that annoying little glitch. 

This incident should serve as an important reminder to all that, while multi-factor authentication is a great security enhancement when it works, it can also be a nightmare when it doesn’t if you haven’t prepared for that contingency. If you haven’t considered the possibility that the device or app you use for 2FA can be lost, damaged or generally put out of commission, now would be good time to review your options and make a backup plan. This is what I did after I got up off the floor and realized everything was OK.

Your 2FA backup options vary depending on the site that offers it, but there are a few common options:

  • One-time use authentication codes - Many sites offering 2FA will provide a set of one-time use authentication codes that you should print out and keep in a safe place. If your mobile device goes AWOL, you can then pull out your codes and use one of them to log in. If you haven’t already, print out those one-time authentication codes now and squirrel them away in a secure place(s)!

  • Backup authentication devices - Some sites will let you add backup devices, to which you can have authentication codes sent (usually via SMS) if your primary device is unavailable, such as a spouse’s mobile phone. Google even allows you to specify a landline, by which you can receive an authentication code via voice message.

  • Authentication key backups - In the wake of the GA mess, some people were sharing methods for backing up the keys used to create authentication codes in GA. Often, these are QR codes that you scan with your device to create the account key in GA. The idea is you save these keys (again, in a secure spot) so you can use them later to reconfigure GA (or move them to another device) if need be. Other authentication apps, like Authy, will let you create backups of the keys used to generate the authentication tokens (how secure those backups are, though,  is a topic of debate).

The best way to know your options is to check with the site in question. Here are links for setting up and managing multi-factor authentication with some of the more popular sites: Google, Twitter, Facebook, Dropbox, LastPass, Microsoft, Amazon Web Services, PayPal.

At the very least, if you use 2FA, be sure to print out those one-time use codes now and prevent yourself from possibly having your own Fred Sanford moment later.

Read more of Phil Johnson's #Tech blog and follow the latest IT news at ITworld. Follow Phil on Twitter at @itwphiljohnson. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon