Contingency plan for using Authenticator for 2 step authentication?

You just disable it.

quote:

---

when I couldn't access my phone I had to call AWS

---

This all seems so logical.

I mean how many of these 2 step auth sites actually have a team ready to answer a call for this type of situation? Does a password reset question answering solve this problem? If so whats the point of 2 step?

I love the security of all this, but damn if this isn't a pain in the arse in figuring it out.

quote:

---

I love the security of all this, but damn if this isn't a pain in the arse in figuring it out.

---

How about this... my aunt uses a cox.net email address, and by default they put her backup email in case of lost password as... HER OWN frickING COX.NET EMAIL ADDRESS!


"Forgot your email password? No problem! Just click the link in this email we're sending you..."

quote:

---

But if you can't answer your own phone or emails, you've got bigger problems.

---

I mean shite losing my phone would lock me out of my email while not allowing me to answer a call until I got a new phone. I have Gmail, Yahoo mail, Amazon, and Microsoft currently protected under 2s. I guess you have to go through each of them one by one to turn off 2s? Seems as though whoever's Authenticator software you use that you should be able to have them call you and restore all your enrolled accounts. Or is that a security risk?

quote:

---

I mean shite losing my phone would lock me out of my email while not allowing me to answer a call until I got a new phone. I have Gmail, Yahoo mail, Amazon, and Microsoft currently protected under 2s. I guess you have to go through each of them one by one to turn off 2s?

---

Yes.

quote:

---

Seems as though whoever's Authenticator software you use that you should be able to have them call you and restore all your enrolled accounts. Or is that a security risk?

---

That's not how it works. None of the authenticator apps actually control access to your accounts. Rather, the app just tells you the code required to access your accounts. It's just a password manager that generates ever-changing passwords.

They even work without connectivity, because the code at any given point in time is based on the secret key shared between your app and the site you're using it with (usually via QR code during setup). The secret key, the current time, and a signing function are used to generate your access code, so that's how your app can generate the code that the site you're logging into is expecting... they both knew the original secret key, and they both know the current time.

So no, your authenticator app can't disable 2FA on all your sites.

Google will allow you to generate 10 backup codes. Print them off and throw them in a safe.

Microsoft allows you to send a backup to code to a verified secondary email account.

A text to your phone number is your backup

quote:

---

I use Authy

---

Authy is pretty legit. I can actually give some insight into this question for you (at least in reference to Authy). I was without my phone for a few days and I have 2FA set up for most everything that allows it. I also have Authy set up on my work laptop as well. They have a Windows app. I believe they also have a web app, but I haven't used it. I logged into the app on my laptop and was able to 2FA that way and disable it for the apps I knew I would use frequently enough for it to be worth temporarily disabling. If you set up backups (and I would recommend it) you can import your Authy accounts onto another device. You need to 'approve' it on one of your existing devices. Not sure what the process is if you only had one device set up though.

Duo is a great Corporate 2FA solution. I demoed it a while back. The push is nice as it saves a step in opening the 2F app. Also, in the event that you lose your device there is the possibility of your company's IT staff temporarily disabling 2FA (assuming your company policy would allow it).