I have been a strong advocate for two factor authentication and still am, but I ran across a situation yesterday that made me realize that there is something that you need to consider when you implement two factor.
The situation that I encountered was a user that was using text messages for two factor authentication and those text messages were going to his cell phone. Without understanding the implications, the user cancelled that cell phone and lost control of the phone number. When that happened, the user lost the ability to sign into the account protected by that phone number.
This is very similar to forgetting your password, but most vendors have made recovering your lost password easy – too easy in my opinion, but we are used to it. I have to admit, I have used it. Typically they send an email to the registered email address and you can reset your password. If a hacker gets into your email they too can reset any password, which is why I say that it too easy.
The problem/question is if you lose access to your phone number (and notice I didn’t say your phone, but rather your phone number because if you lose your phone but still control the number, you can move that number to any new phone and still get those text messages), does the vendor have a mechanism to recover access to the account.
Lets say you protect your bank account with two factor. Likely, you can go into the bank in person, show a banker your government issued picture ID and they can remove the two factor requirement or change the phone number. MAYBE. Worst case, you can go into that same bank and close your account, take your money and open a new account.
But what if the account is Facebook. There is no Facebook store to go into to do the same thing and closing your Facebook account will cause you to be disconnected from everyone. Of course, possibly, losing access to Facebook might give you a lot of time back in your day.
OK, so now I scared you out of using two factor authentication. Let me see if I can make you OK with two factor.
First, if the web site allows it, you should create a backup authentication option. For example, many companies will allow you to get your second factor via text message OR phone call. Or possibly via text message OR email. If they allow that, then make sure that you set that up. That way, if you lose access to your phone number, you can still log in after receiving the code via phone call or email. DO NOT make the phone number the same phone number that you get your text messages from. Remember that the issue is that you lost control of that phone number. Use a home phone or work phone or spouse’s phone or just something different.
Next, make sure that you keep track of what those second methods are. Sometimes a web site will display an option showing you how you can receive the second factor. If it does, pay attention and make sure that you still have access to it.
Do not release your phone number unless you are sure that anything that you are using it for has been accounted for. If you have to change your phone number for some reason, look at all the accounts that use it to protect and disable two factor before you get rid of that number and then turn it back on with the new number.
Talk to your phone carrier and add a password to your mobile phone account. While hackers can sometimes social engineer their way around that, it makes it more difficult. That will reduce the odds that you will lose access to that phone number.
Finally, ask the vendor what their policy is for resetting two factor authentication. Even Google has a method to do this. It is a bit of a pain and it can take a couple of days, but it is possible.
As two factor becomes more popular, vendors are going to have to deal with this new reality, but it will take some time.
Finally, if you use two factor authentication apps like Facebook Authenticator, those are more portable. As long as you don’t lose access to your Facebook account, you can still access authenticator – from any phone – as long as your access to Facebook is not protected solely by a two factor authentication to that lost phone NUMBER.
I know, something else to worry about. I think as long as you set up two different methods to receive that second factor, you are pretty safe. Just keep it in mind.