My phone broke. I lost access to Google Authenticate and the second half of my two factor authentication.
It was a great opportunity to look at how each of the main services deal with recovery. I’m always looking to increase the baseline of security in every new body of work, and 2-Factor authentication is one interesting avenue, but has a big potential failure scenario. I want to look at how the services deal with this to understand the trade offs.
For those of you unfamiliar with the concept, authentication is generally performed by one of 3 factors : something you know (e.g. a password), something you have (e.g. your car key) or something you are (e.g. fingerprints). 2 factor authentication asks you to prove your identity via 2 of these channels, rather than one, and often chooses the something you have and something you know channels because of the difficulty of replacing the something you are channel if the security is compromised.
Most of the services I discuss here use Google Authenticator which uses your phone as the something you have, seeded with a shared secret (usually encoded as a 2d barcode) to generate a new code at regular intervals that should appear random to any observer but always consistent between server and client.
Many of the services use one-time codes to allow you to log in if you lose your device, and some force you to enter one of those codes as part of the verification process. For all those that provide it, print out those codes as soon as you get the option, and keep their printout safe not near your phone.
Google : provides a set of 10 one time codes. An email when any is used. Easy migration process to a new device, automatically disabling the old device.
Github : sends a text to my phone. Not so good for a stolen phone.
WordPress : a set of 10 one time codes, but no email indication, when one is used. Frustratingly I have to disable and re-enable 2FA to move to a new device, rather than WordPress disabling the old device automatically. Although it does have the nice side effect, unlike Google, of emailing me to let me know a new device was added.
Twitter : temporary password, with 1 hour expiry, provided you’re logged in on another device. For most services this should not be a problem, but it’s a good reminder to ensure you always have more than one trusted device for an account so you can create new trust relationships and disable old ones.
Dropbox : can re-enable authenticator via barcode, if logged in on another device. Email is sent.
I like the Google and WordPress approach for simplicity, if you’re organised enough to use paper as you’re backup device, but I’m comfortable with the approach taken by Dropbox and Twitter that use another device for the authentication.
I don’t like the Github approach, because it fails to recognise the use of the phone for multiple purposes, making a phone much more valuable a target. Luckily my phone was bricked, but I continue to monitor my accounts for suspicious activity, just in case it comes back to life now I’ve been sent a replacement.
I like notifications. I get email notifications on multiple devices and as they are timely, I know immediately if there are unexpected changes. Good marks for Google and WordPress here, but I wish Google sent emails for enabling on a new device and WordPress sent emails for use of one time codes.
I prefer the one time code approach for the way I like to work but I can see the benefits of the multiple trusted device approach. I can’t see any benefits to the github recovery approach apart from simplicity.
2 factor authentication is good, but check your recovery strategy now. I only got back into my accounts because I was prepared.
★ : Two-Factor Authentication Hacked: Why You Shouldn’t Panic buff.ly/1wukaiE