Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

Dancing the Two-Step: Coping with the Loss of a Second Factor

Send Article to a Friend

The camera in my iPhone 5 finally became intolerable. It had shown some evidence of dust or a sensor failure inside its sealed optics for some time, but I had coped. The Standby button had also started to lose its resiliency and required a hard push to activate, but I was too busy to swap out the iPhone. Then a hair started appearing in all photos. That was the squiggle that broke the camel’s back.

I blithely went to a Genius Bar appointment, received a new iPhone 5 under warranty (not even invoking AppleCare+, which I have, as it was considered a factory defect), and restored from my iCloud backup. It was only 40 minutes later, when the restore was complete, that I realized I had blundered in not preparing for the loss of my so-called “second factor.”

Two-step or two-factor logins typically require that a login uses two different methods: a password and a unique token sent via text message, created within a specialized app, or displayed on the tiny screen of a keychain generator or ID card. Second factors rely on physical possession of an object or an app on a device. They don’t provide perfect security, but someone cannot simply steal your password and have full access to an associated account.

Most of my second factors were stored in Google Authenticator, a free app (for iOS and Android) from the search giant. Despite coming from Google, the app works with many two-step authentication systems to generate the time-limited codes that supplement passwords. To get started with it on a particular site, you need to enter a special priming code — either by typing in a set of characters or by capturing a QR code.

From then on, Google Authenticator cryptographically derives a set of digits for your login code that resets every minute. The current time is a factor in the computation that creates the code. These codes may be used only once, and thus are useless if captured after use. Plus, they work only during a 60-second period, and are useless thereafter. Wisely, Google Authenticator doesn’t retain the priming codes, since a bad guy could otherwise restore a stolen iPhone’s iCloud backup and gain access to those codes! (See “Elcomsoft Details Gaps in Apple’s Two-Factor Authentication Approach,” 30 May 2013.)

But that caused a problem for me, even though I consider myself relatively adept at security and good at thinking ahead. I knew I’d need two different Apple ID passwords and my Dropbox password to do a restore away from my main Mac. But I didn’t anticipate the two-step login problem at that moment.

Luckily, I had done the necessary work previously, when I set up the various two-step systems. Most systems provide methods of restoring access or resetting a two-factor system as long as you retain two of three pieces of information: email access to the address you used (or physical access to a specific set of trusted devices), your password, and a special recovery key or similar code. I had stashed recovery codes like mad, and simply forgotten about them until this point.

I use Yojimbo to stash my recovery keys. Yojimbo, just out in version 4 with a new syncing option, uses strong encryption for its secured elements (see “Yojimbo 4.0 Adds Syncing… But Not Via iCloud,” 14 August 2013). Set a strong password, and only that password will allow recovery of items stored in its database. 1Password, LastPass, and various other secure password managers and snippet keepers would also work for storing recovery keys.

Recovering from a Lost Second Factor -- Let’s walk through how I got back into each of my two-factor services after restoring the new iPhone 5 from my backup:

  • Apple ID. Recovering Apple’s two-factor authentication is the simplest case, because Apple requires a mobile number to which to send text messages as either the primary or backup method for a two-step login. In this case, I lost nothing because my phone number was transferred and activated on the new SIM. In fact, despite having two-factor authentication turned on, I wasn’t even prompted for anything but my password when I restored from iCloud, turned on my iTunes account, or logged into iCloud email. That’s not ideal, but Apple’s two-factor authentication doesn’t actually protect that much! (For details, see “Apple Implements Two-Factor Authentication for Apple IDs,” 21 March 2013.)

    Apple’s system relies on a set of three trusted elements: your password, one or more trusted devices (set up for SMS or Find My iPhone messaging), and a recovery key created when you set up two-step logins. As long as you have any two of those three, you can recreate the missing third. You can reset a password with a recovery key and trusted device, for instance. If you have only one of the three, you’re sunk, and your Apple ID is dead forever.

  • Google. With Google, you can pair your password with SMS, Authenticator, or one of a set of 10 backup codes that are generated when you set up two-step login. If you lose your password, it can be reset, but you still need one of these other factors.

    Even though I had lost the Authenticator token, I could still have requested an SMS message or used one of the backup codes. However, since I had verified my desktop computer, I was able to log in there without needing any additional steps and regenerate my Authenticator code.

  • Dropbox. As with Google, resetting two-factor authentication with Dropbox requires use of a recovery key. I was able to go to a desktop computer which had been authorized, and login and use a recovery key generated during signup. I then removed Authenticator as the primary way of getting a code, and set Dropbox to use SMS temporarily. I later went back and reset Dropbox to use Authenticator and regenerated the recovery key, since keeping the one I’d used previously around seemed like a bad idea.

    Be particularly careful with Dropbox, since it tends to be used for syncing utilities that you might use for storing recovery keys, such as 1Password and Yojimbo. But if you can’t get into Dropbox without a recovery key, and the recovery key is itself in Dropbox, you’re faced with a Catch-22.

  • Stripe and Linode. While these are more specialized services — a credit-card payment processor and a virtual private server host — both offer two-step logins and both work with verification apps like Authenticator.

In the case of Stripe, I had stored a recovery code, and used that to log in and disable two-factor authentication, after which I re-enabled two-factor authentication with a new priming code and recovery key.

For Linode, I had stored the code that was used to prime Authenticator, and once I re-entered that code, access was restored without me needing to regenerate anything.

Looking Forward -- Clearly, I had no comprehensive plan for how I’d recover from the loss of my second factor in two-factor authentication systems. And the fact that no two of these services are precisely alike made it a little worrisome as I tried to figure out whether or not I’d lose access permanently or need to jump through more hoops to get back in. (Had I not kept my priming code for Linode, I would have had to send a scan of both sides of the credit card used for billing, omitting some numbers for security, along with some other data to convince them to restore access.)

My general advice for anyone using two-factor authentication system is:

  • If you know you’re going to lose your second factor because you’re sending an iPhone in for repair or getting a new one, it’s easiest to turn off two-factor authentication first, and then turn it back on later.

  • Store your recovery keys in a place you can remember, that’s secured but available, and that’s also backed up offsite, whether via offline USB in a safe deposit box or an Internet sync/backup service. (My Yojimbo database is backed up through Dropbox and CrashPlan so in the worst case, I could access it on a friend’s Mac.)

  • Likewise, keep your passwords stored safely and backed up, with an offline secure copy. (I use 1Password, which is backed up through Dropbox and CrashPlan as well.)

  • Although this isn’t typically recommended, you could capture and store the priming codes used for second-factor generation in Authenticator and other apps. Take a screen capture of a 2D tag or copy down the equivalent text and store that information somewhere extremely secure. The priming code is essentially just as useful for a break-in as your password, since it’s all that’s needed to generate a second factor.

  • Make sure you know the requirements for restoring access. Some systems may be permanently inaccessible if you don’t have a password plus a recovery key or some other combination, as is the case with Apple IDs.

Being able to make a secure backup of Google’s Authenticator-stored codes would also have been a shortcut around all of this, and wouldn’t have exposed me to any more risk than my current storage of passwords and recovery codes.

 

Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Apple users who actually buy stuff.
More information: <http://tidbits.com/advertising.html>
 

Comments about Dancing the Two-Step: Coping with the Loss of a Second Factor

Interesting timing of this article. Google Authenticator just lost all auth codes for people that applied the latest app update. I keep a hard copy locked up of the 2-d scan codes. It is also possible to use a different app (authy for example) that will store the priming codes and adds a pin. I learned the hard way when my iPhone was replaced under applecare. At the bare minimum, the google app should warn that the info isn't saved during a backup. We tend to get lazy now that most items are backed up. I don't have a problem with it not being stored, but wish I had known the first time I experienced it.