This article originally appeared in TidBITS on 2013-08-28 at 8:04 a.m.
The permanent URL for this article is:
Include images: Off

Dancing the Two-Step: Coping with the Loss of a Second Factor

by Glenn Fleishman

The camera in my iPhone 5 finally became intolerable. It had shown some evidence of dust or a sensor failure inside its sealed optics for some time, but I had coped. The Standby button had also started to lose its resiliency and required a hard push to activate, but I was too busy to swap out the iPhone. Then a hair started appearing in all photos. That was the squiggle that broke the camel’s back.

I blithely went to a Genius Bar appointment, received a new iPhone 5 under warranty (not even invoking AppleCare+, which I have, as it was considered a factory defect), and restored from my iCloud backup. It was only 40 minutes later, when the restore was complete, that I realized I had blundered in not preparing for the loss of my so-called “second factor.”

Two-step or two-factor logins typically require that a login uses two different methods: a password and a unique token sent via text message, created within a specialized app, or displayed on the tiny screen of a keychain generator or ID card. Second factors rely on physical possession of an object or an app on a device. They don’t provide perfect security, but someone cannot simply steal your password and have full access to an associated account.

Most of my second factors were stored in Google Authenticator [1], a free app (for iOS and Android) from the search giant. Despite coming from Google, the app works with many two-step authentication systems to generate the time-limited codes that supplement passwords. To get started with it on a particular site, you need to enter a special priming code — either by typing in a set of characters or by capturing a QR code.

From then on, Google Authenticator cryptographically derives a set of digits for your login code that resets every minute. The current time is a factor in the computation that creates the code. These codes may be used only once, and thus are useless if captured after use. Plus, they work only during a 60-second period, and are useless thereafter. Wisely, Google Authenticator doesn’t retain the priming codes, since a bad guy could otherwise restore a stolen iPhone’s iCloud backup and gain access to those codes! (See “Elcomsoft Details Gaps in Apple’s Two-Factor Authentication Approach [2],” 30 May 2013.)

But that caused a problem for me, even though I consider myself relatively adept at security and good at thinking ahead. I knew I’d need two different Apple ID passwords and my Dropbox password to do a restore away from my main Mac. But I didn’t anticipate the two-step login problem at that moment.

Luckily, I had done the necessary work previously, when I set up the various two-step systems. Most systems provide methods of restoring access or resetting a two-factor system as long as you retain two of three pieces of information: email access to the address you used (or physical access to a specific set of trusted devices), your password, and a special recovery key or similar code. I had stashed recovery codes like mad, and simply forgotten about them until this point.

I use Yojimbo to stash my recovery keys. Yojimbo, just out in version 4 with a new syncing option, uses strong encryption for its secured elements (see “Yojimbo 4.0 Adds Syncing… But Not Via iCloud [3],” 14 August 2013). Set a strong password, and only that password will allow recovery of items stored in its database. 1Password, LastPass, and various other secure password managers and snippet keepers would also work for storing recovery keys.

Recovering from a Lost Second Factor -- Let’s walk through how I got back into each of my two-factor services after restoring the new iPhone 5 from my backup:

In the case of Stripe, I had stored a recovery code, and used that to log in and disable two-factor authentication, after which I re-enabled two-factor authentication with a new priming code and recovery key.

For Linode, I had stored the code that was used to prime Authenticator, and once I re-entered that code, access was restored without me needing to regenerate anything.

Looking Forward -- Clearly, I had no comprehensive plan for how I’d recover from the loss of my second factor in two-factor authentication systems. And the fact that no two of these services are precisely alike made it a little worrisome as I tried to figure out whether or not I’d lose access permanently or need to jump through more hoops to get back in. (Had I not kept my priming code for Linode, I would have had to send a scan of both sides of the credit card used for billing, omitting some numbers for security, along with some other data to convince them to restore access.)

My general advice for anyone using two-factor authentication system is:

Being able to make a secure backup of Google’s Authenticator-stored codes would also have been a shortcut around all of this, and wouldn’t have exposed me to any more risk than my current storage of passwords and recovery codes.