My situation:
I had 2FA set up with my Google Account through Google Authenticator.
I lost my Google Authenticator settings when I broke my phone.
I have 2FA backup codes. These successfully log me into my Google Account.
In order to disable 2FA, or generate new 2FA backup codes, I need to access the 2FA settings page under the Security tab. When I try to load the Two-factor authentication page, I am forced to re-authenticate with Google.
When re-authenticating to access the 2FA page, there is no option to enter a 2FA backup code or SMS verification to pass the 2FA challenge. The only option under "Choose a way to verify" is to enter a 2FA code. Entering a backup code instead of a 2FA code returns an error.
What am I supposed to do in this situation?
Yes this is a classic "maybe I can get support through public shaming" attempt. Thanks in advance.
I've seen this with a few of my posts recently where they appear in the 'new' and 'show' or 'ask' tabs, but not the frontpage.. even 300 posts deep while similarly aged and upvoted posts are on second page.
edit: now it's on the frontpage! Guess it just had to hit a vote threshold.
But that's not what's currently popular. What's currently popular is just to check a box with some poorly thought-out system and screw anyone who ever loses their phone number or 2FA device. That's dangerous and unprofessional.
At the very least if the helpdesk does reset your account, there should be a 48 hour lockout and a message sent to the account allowing the owner to dispute the change. Yes it is inconvenient in cases where the actual owner lost all of their login credentials, but this is hopefully rare.
They could've done the same with any method of authentication. Using a password isn't even enough for Google any more these days, look at Gmail+IMAP.
This is pure incompetency, not a flaw in 2FA. Whatever device this person is on has been flagged insecure enough to need repeated re-authentication of the highest level, locking them in a loop until the recovery mechanisms are exhausted.
Competent support would also have helped. Google doesn't do support for almost all of its customers but in a normal company, a support agent would've been able to help restore the account. Sure, Twitter has shown us that such support can also be a major risk to important or famous people, but that's why Google has a special program you can enable that will lock down security even more.
You would think that using a backup code would prompt a "Do you want to alter 2FA?" work flow since the user is already at the 2FA has gone wrong point.
And more to the point, a way of handling "I've lost my phone and had to buy a new cheap one" seems to be a potentially problematic edge case. Bootstrapping trust and authentication for end users without any physical token is hard, but seems necessary, especially for non technical end users, for whom password reset processes might even be the default route of access.
It would be so easy to have a Google Android/iOS app that lets you take a photo of a credit card matching a payment method from the Play Store or one of Google's paid services. That proves something you have in addition to your password.
Though, TBH, Amazon is probably in the best position to solve this problem. They have payment methods and they have physical presence everywhere. Companies like Google or whomever could hook into an Amazon API to verify identity with a one-time recovery code.
How do you get the recovery code? You show up at Whole Foods or Kohls or eventually even to an Amazon Hub Locker and prove your identity with a photo ID card. You're then provided a recovery code linked to one of your full legal name, an e-mail you've already had registered with your Amazon account, a phone number you've already had registered with your Amazon account, or a credit card number you've already had registered with your Amazon account.
A service that knows one of those things about you can then be recovered by submitting the key and selecting the link modality. (Keys submitted with the wrong link modality should be invalidated, obviously.)
It would probably work if you used the official browser, it's not a bad idea for the website to block webviews. But pretty funny that their app uses a webview which the service then blocks.
Most of the security is theater. On the other hand I think that every tech savvy person should at least try to keep the TOTP seeds.
I keep the TOTP and only sometimes keep the backup codes
I avoid the issue created from losing my phone, because the next device can generate codes immediately by importing or scanning the TOTP
I also don’t call it “2 factor” I just call it “one time passcode”
And this isn't even a good example of something that is "obvious" to some people, because Google makes it very, very clear that saving the QR code is NOT a backup option. It is labeled only as a mechanism to transfer to a new phone, so one has no reason to believe that it's non-ethereal. Further, the app disallows taking a screenshot. You have to point a camera at your phone. It's mind-blowing to suggest that it might be appropriate to blame the user for not doing this.
it doesn't matter what Google says is normal
is this really people's only experience with TOTP delivered via QR codes?
All screenshot/print/save functionality is disabled when you have the codes up on your phone.
You need an actual camera on a second device to save them in most cases.
If an attacker steals at TOTP, its only good for (I think) less than a minute. If they steal the seed, its good forever.
which isn't really destroyed by having a printout of what you entered onto your phone somewhere secure
(now if you store both in your password manager: that completely defeats the point)
The threat model is someone gets your password, not somebody gets access to your password manager.
If the latter is your threat model then yes having your 2F in there is worse, but really the former is the more common thing to protect against and the tradeoff of not having 2F in your 1Password and getting locked out because your phone breaks is worse than the risk of having it in there.
It’s similar to the tradeoff of having a nano yubikey always in your laptop or a large one on your keys. For most people the nano is better (though you should have a second one in either case)
- Site0 leaks your password because they store it poorly.
- It's just one password, but it's still leaked.
- You have 2F in 1Password so even though it's picked up in an account list the attacker can't login.
- Weeks later you learn there was a breach.
This is the common case for most accounts and breaches. Though the sites most likely to leak are also ones unlikely to have 2F so it's not perfect.
They aren't accessed often, are not used during your normal login flow, and provide you a recovery mechanism that actually works.
Yes - you should store them as securely as you can, but I'd say this is better than disabling 2fa entirely, which seems like the other sane approach.
You need to keep the seeds anyway to generate OTP codes. They are just keeping them in their vault in addition to keeping them in their OTP app.
As long as those storage methods are sufficiently secure, it's not a problem.
It helps to consider the threat model. 2FA is protection against (at least) several things: brute-force password guessing, a stolen password, a hijacked email account, etc. Since password vaults like bitwarden are designed to be uncrackable on their own, the only plausible way for an attacker to compromise one is to gain control of the user's device, at which point they don't really need access to the vault because they don't just have the keys to the kingdom, they have the kingdom.
Any technology that allows users to add security to their assets while still being convenient enough to use daily, leads to greater security overall.
Personally I think we're about a decade or two overdue to switch away from passwords (as currently implemented) and towards public/private keys managed by the browser or an extension, but I don't see that happening anytime soon as it's 100% certain that if it's ever tried, each FAANG will just try to push their own system, break the whole effort with fragmentation, and everyone will still just be using passwords in frustration for the next 100 years.
My 2FA token is just a second password that doesn't get sent over the wire directly -- it's almost like a private key where you auth via challenge... wait a minute, thought you could sneak PAKE on me?!
This. Support systems in the world post computers eating everything is basically HN posts.
Another short term option: $500-1000 right now to get a couple hours of support to unlock an account.
Basing someone’s entire online identity on a free account has always been pretty sketchy. We just haven’t come up with a better plan for most people yet.
Also, I think it's unreasonable to accept "support just sucks now" as a norm - consumer protections exist to shield us from BS like this and the US has been far too lax in flexing those muscles lately.
IMO we need USPS email addresses for the same reason we have mailboxes. The ability to be contacted digitally is just table stakes nowadays.
Right, that's why I think there should be an option for a $500 permanent email address, or maybe $50 one-time payment that doesn't guarantee permanent access but does guarantee that the email address will sit there as long as it takes for you to be able to pay to restore your account, without being deleted or reassigned.
You could also purchase a domain and point MX records anywhere, preferably at some known-good mail service which you pay for.
You already can. It’s called Google Workspace and comes with support.
This already exists.
It's why if you have a certain bank balance, when you call the bank a human in your own country picks up and speaks to you in your native tongue immediately. And if you don't have a certain bank balance, you sit on hold for 90 minutes and are repeatedly told how important your call is.
Google does not interoperate and effectively has a monopoly on web search, web video (YouTube) and is one of the two evils owning the mobile market (the other being Apple). There is no way for a competitor to emerge because it just wouldn't be able to interoperate with any of these services.
Because if so, it’s cheap insurance at $20/year.
Instead the auth requirements should be sane from the start, well publicised, and make a good tradeoff between letting bad guys in vs locking the real owner out.
There should be options beforehand to adjust the balance (eg. enabling 2FA).
To prevent lockouts, there should be some time-based weakening. Eg. if you are trying to access your account, and know only some of the required auth info, and have been unable to for 1 week, and, after blasting messages to every associated recovery phone/email address nobody else does either, then you should be allowed in.
That solves the classic "my house burnt down with my phone in. All I have is my email and password, but I have no devices left, no backup codes, no access to my phone number, nothing" case.
I used this horror story to move to Aegis from Authenticator and make an encrypted backup copy of the OTP vault, so thank you for posting. FWIW.
This is true, but OTOH there will _always_ be edge case scenarios that no one anticipates until they actually happen. Or maybe someone did anticipate, but they were drowned out by the other voices in the room saying "that can't/won't happen," so it wasn't included in the requirements. What happens when a customer encounters a problem that doesn't fit neatly into one of the user journeys that the product team planned out? Are they just shit out of luck?
I disagree, in regulated industries such as banking this is a solved problem. A combination of onshore staff, good career prospects, pay and working conditions and audit logs means I haven't heard stories of bank insiders breaching into accounts to steal. I'm sure it happened but nowhere near as frequently as fraudulent SIM swaps for example.
TLDR: don't outsource your customer service to the third world and you're already 80% of the way there.
In general, if you break into someones bank account and transfer money out, that money can be traced by authorities. In almost all cases, that money is recoverable by the government, even if individual banks like to shrug and tell the customer it isn't recoverable.
If you break into someone's email and steal their private info, it can't be traced. That makes the latter much more attractive.
1. Getting un-banished from Google ads after a failed credit card charge. No one will tell you why, appeal form doesn't tell you why and eventually I figured out a there had been a failed credit card charge 2 years ago.
2. Recovering a Facebook account with an email-password reset. The profile was frozen after it was hacked and all of a sudden a 5 year old phone number is required to unlock the profile after the password reset. --> Help page to submit a petition still tries to send you to login flow.
How can there be no way to talk to someone?!?
But yeah, this is why I dislike 2FA. There are clear security benefits, but it comes with the extreme downside of "what you know is not sufficient".
When it's e.g. a corporate-controlled account and your IT desk can just reset it to "password123!" to let you back in, it's quite a good trade-off. When it's your main email, i.e. your primary online identity, losing access is kinda a big deal, and Google has famously bad support.
But that's not even the problem here. OP has the "what you have". Just because the secondary authentication device is made of paper doesn't mean it's any less valid. But google is rejecting it and demanding the lost device.
So... sorta yes, sorta no. What they have is a ticking time bomb which goes off at the whim of a company that clearly does not care about them. That's not really "an authentication device" that anyone would willingly choose.
How so? The only downside is that you have to glance up and make sure you're on a google.com domain before entering it, in exchange for which you get massively simpler implementation, a wider variety of options, and the ability to back up token if you really want.
I just posted about something similar maybe 3 months ago?[1]
> I kid you not. Google's actual official answer to this is... create another account![1][2][3]
> Edit: Now that I have your attention:
> PSA: Go create "Backup codes" for your Google Account in your 2-Step Verification settings.
> [1]: https://support.google.com/accounts/troubleshooter/2402620?hl=en#ts=2402626%2C2402728
> [2]: https://support.google.com/accounts/answer/7682439
To remove the lost 2FA, I need a fresh 2FA code. No alternatives given.
Seriously, Google?
Might be micro, but this is not a sign of a healthy company on an upwards trajectory.
This is needed for example to store the TOTP in a device that has no camera. Or in your Bitwarden Pro account. Obviously you wouldn't be able to scan a QR with such an application, so the actual string is needed you just copy-paste it, so it should be provided by any service that offers 2FA (I confirmed Google does)
Also, other TOTP generators like Authy and Aegis let you backup your tokens to restore to another device.
xclip -sel clip -t image/png -o | zbarimg -
pngpaste - | zbarimg -I keep all my 2fa secrets in pass for this reason. Never lose access again!
Imho it's a different story if you use a separate gpg-key/secret to access the 2fa secrets (which should also only happen in emergency cases).
This can easily be done with pass.
(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)
Who is more likely to visit this page (and use tools like pass) is up for you to decide.
The point still stands. Storing passwords and 2fa secrets inside in the same box will weaken the 2 in 2fa.
(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)
Grandma can always print the 2fa seed or write down the alphanumeric value and store it not next to the sheet with her passwords – same principle (I think she won't use pass anyway as opposed to the person I was originally replying to which tells me they are most likely technically literate).
I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts.
So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that... I can't keep in my password manager. But the biggest problem with both of these is I'm going to forget the password. I never forget my password manager master password because I use it weekly. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen.
It all feels so absurd that the UX side of me just rebels. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure... is just not something normal people are ever going to do.
Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have."
"Know" means it exists only in your mind; it is not stored elsewhere. "Have" means you cannot possibly produce it with your mind; it's stored elsewhere.
When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format; the latter in one's mind) is simple. Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do.
The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably).
Something you have: a password database on your PC.
Something you know: your master password.
TOTP is a nice addon, but you can store it in the same password manager. It will still help with some attacks (e. g. if a hacker manages to MITM your traffic, they only get the password + one code, which is not sufficient to log in again).
Enabling 2FA on a site (regardless of how or where the 2nd factor is stored) means if a malicious party were to obtain your plaintext password, they still wouldn't be able to access your account. So, outside of the entire discussion of password managers and secrets, 2FA does require a second factor.
Keeping your 2nd factor in the password vault does make the vault a much higher-value target. But it doesn't diminish the fact that if only your plaintext password is compromised (for example through a leak or re-use) the account is still protected until the point the 2nd factor is compromised.
Security is a spectrum, and often at odds with convenience. While demonstrating that something is provably secure is important, I feel we often fall victim to the nirvana fallacy when discussing the practical everyday use of these things.
Backing up my 2FA codes is one of the reasons that led me to create PortableSecret: https://news.ycombinator.com/item?id=34083366
Some people took issue with my comment regarding ‘not all secrets belong in your password manager’ but your comment is exactly what I meant.
And besides, this is fine as an archived backup in case someone loses their phone. It just so happens it's faster for me to xsel the output of oathtool than it is to unlock my phone, open app, select account, and remember code, esp because I live in the terminal anyway.
I think so, yeah.
> and the key is stored on some secure enclave which rate limits PIN entries, is it not?
That – I'm not so sure about. I didn't really think about it too much before you pointed it out, but it would make sense for the Android floks to have implemented it. I'll look into it a bit later!
Although, for Google, I'm using FIDO.
https://security.stackexchange.com/a/194279 explains it better than I could.
So, I thought I'd better change that... but it looks like you can't change your recovery account.
Why are 2FA apps so obtuse!
function 2fa(){
local sec=$(pass show $1.secret)
local code=$(oathtool -b --totp "$sec")
echo $code | xsel -ib
echo "Copied $code"
then call it as `2fa <account>`, and make sure you store each <account>'s secret as `pass insert <account>.secret -e`.
refs: https://www.cyberciti.biz/faq/use-oathtool-linux-command-line-for-2-step-verification-2fa/
And works like a charm.
I mean, if it works for crypto wallets it might also work for 2FA...
[1]: https://digitalbunker.dev/how-do-time-based-one-time-password-totp-services-work/
Now it is not that necessary because google authenticator allows transfer of data.
But when authenticator had no such option I was quite terrified and came up with idea to get another phone just as a backup and scanning 2FA code with 2 phones always for all websites. Of course backup one is always on my desk - but I don't have offsite backup for these. Problem is I don't want these TOTP tokens offsite really so it is a bit of a challange :) to come up with everything proof plan.
For example:
> "Password Store" ('pass' compatible) for Android also supports TOTP to tokens and Gpg encryption.
> With Syncthing, 'gopass' and 'Android Password Store', I have a fully open source, very easy to reason about fully in my control, password and totp storage, accessible on all my devices. All of which can only be accessed with my Yubikey that I keep in my pocket and my GPG PIN.
Shameless plug, I spinned up a local html javascript page to import export these code phrases anytime, with customization options, like issuer name, account name etc.
What about adding someone who can get access to your email after six months of inactivity? Maybe they let you add that without your lost google authenticator? It'd be better than nothing.
However, I also think that Google keeps track of a "security rating" for your session; when I don't log in for a while, Google asks me for my password but when I use that same session token on another physical address I also need to authenticate with 2FA.
This may imply that failed login attempts may flag your session as even worse than before. I have no idea if this is actually how it works or if this is purely coincidental, but it may be worth keeping in mind given that you have limited backup codes available to you.
My recommendation would be to first get a Google Takeout backup stored somewhere safe, then see if you can get another 2FA method that you have control over connected to your account.
Note: I mean in mobile apps, not browsers.
You should not disable 2FA.
- Just click on the Authenticator app
- Change Authenticator app
Just works.
On what page do you see the Authenticator app listed? I suspect it's on the "Two Factor Auth" page. My problem is that I cannot even load that page. I click on "Security" in the menu, and it's when I click on "Two factor auth" to do any 2fa-related task, that's when I'm forced to log in and provide a 2fa code (which I do not have)
Then, https://myaccount.google.com/signinoptions/two-step-verification
There you can see Authenticator app.
(I am doing this on desktop. Not sure about phone)
When I click the second link, I'm forced to reauthenticate. During that reauthentication my only option for 2-factor auth is... a valid 2FA code. Backup codes are not allowed.
I suspect since you originally logged in with a 2FA code (I'm guessing), your session is marked as "recently two factor verified", and when I logged in with a backup code, I was not marked the same level of "secure".
> When I click the second link, I'm forced to reauthenticate.
Here, I am being asked my password.
Then get that page.
- Private Browser Window - Log in using backup code - can change auth app without another login.
Maybe it's because I haven't used a 2FA code on this account in the past year? I typically stay logged out of my Google account and just have the email forwarded to another provider.
I too create a new chrome profile (and restarted my router) to get a different IP. (i.e) clean.
- Does this mean you are able to access emails but not change 2FA?
- If yes, do a take out ASAP.
- May be the backup codes are incorrect?
(Unless the machine learning folks on hn did some programming to prevent it!!!). For every one that complains about Google, I wonder how hn crowd pleasingly accepts pay check in the software industry.
Thanks for the takeout advice.. onto that now!
Oh dear. You're almost certainly off the critical path of integration and end-to-end testing and may have hit a legit bug.
I'd assume it's more likely the behavior really is changing, specifically because in the past, the user's login session was treated as a valid factor alongside the user's password for disabling 2FA, which was criticized as being less secure than expected. However, I'm not sure they intended for the fix to that to not allow backup codes...
That said, I do keep a Yubikey with me in my bag when I travel in case my phone breaks and I need to authenticate into a new device. I do take a Yubikey with me going to and from the office as there are other services and platforms which do challenge my Yubikey more often.
The only downside is that Google is the only site I used that supports it.
If you buy a Titan Key you get two (USB-A, USB-C), so sticking one of them in your safety deposit box, locked desk drawer at work or another secured space is a good backup.
I think you can also do that with an iPhone and the Google Smart Lock app.
In the US, porting wireless numbers has been mandated by the FCC for almost 20 years. I'm feeling my age, as I remember being excited during the process and when it finally happened.
https://www.fcc.gov/general/wireless-local-number-portability-wlnp
Sure, it's not the most secure way but I trust this over carriers securing my number.
Edit: looks like you can fall back to SMS (along with backups password) to add a new device.
And
"By default, each of Twilio Authy, Yandex.Key, and Salesforce Authenticator also relied solely on SMS OTP to authenticate users during recovery, but did encrypt TOTP backups using a key derived from a password before uploading them to the cloud. To compromise the backup, an attacker who hijacks the phone number will still need to conduct an offline attack to guess the backup password.
If you don't have your phone setup as "your phone" and they clone your SIM they can use your number to get 2FA codes potentially, yes, but they still need your password to log in. Supposedly they won't have that
I use that in addition to Google Authenticator on my phone.
And in addition to paper backups of the secrets (I don't print the QR code: I write the secret down, like 16 letters) which I keep in a safe.
I've also set someone as the person of trust should I not access my email for 6 months.
And I set up webauthn as well.
It's a pain but I don't want to have to deal with an account I lost access too.
I'm all for improving authentication, but it's profoundly annoying when authentication requirements are not made clear before logging in.
For a user with a password manager, forcing a user to answer "security questions" will compromise UX at best, and reduce overall security at worst.
I am sure that is less secure than a local only copy but this may be least bad of all alternatives.
You might even give a trusted person a login and have it on their phone so you can use theirs in an emergency.
“Fantastic. We haven’t heard from anyone with a complaint!”
No, the big lesson for me is to have proper backups of credentials (like the other commenter mentioned) and ensuring multiple people have access to the prod environment. Don't just turn on 2FA without having these things in place.
If you register with a yubikey, you can't register a 2nd yubikey as backup, nor can you register an authenticatior(TOTP) as a backup.
Don't know, I have a password manager that captured the password I inputted and it was exactly as it should inputted. But when I put it in google it told me that it was incorrect.
When I commented to people, everyone told me that they could change their password doing this and that, but... I wasn't. Looks like there are different security levels based on arbitrary rules and what an user could do, I was unable to do it.
I only had the account logged in in my phone, and every day I kept restoring the account, every day to be unsuccesfully.
One day, after 5 weeks from the day it happened, doing exactly the same than the previous days, one of the recovery attemps worked out, and was able to reset my password.
It completely put me off using google services, but God, it is hard to abandon your first mail services, I got way too many things hooked up with them.
brand account worked great up until ~2013, then they changed something and my settings are all greyed out. can't update phone numbers, can't view mature content, etc. all i can do is collect adsense while the account lasts.
I'd expect to see something like a "hey, yeah, I know a guy on our team that might be able to get in touch with the team who maintains this. I've sent them this thread"...
I'm hoping OP got a private message.
Job descriptions are usually something like: "As a Technical Evangelist, you will be the face of the platform and often the first contact our customers have with us, both online and in person."
My guess is that they want to implement the feature but the security burden is so high that it's not worth it. When everyone's ${stereotypical_computer_illiterate_user_of_choice} starts using MFA and losing their 2FA solutions, it may be worth tackling, but until then, I imagine the number of impacted users is relatively low.
I get the feeling that anymore people just don't care. There might even be disincentives to report or try to address such issues. It's maybe just me, but it seems the excitement over the dotcom has subsided and we're all just in a technical slump right now. Corporate takeover of the internet has taken hold.
Why would someone refuse to watch celebrity Youtube videos, in private with their husband, because of some mandated self-reporting by their pharma overlords?
I'm in awe at the level of corporate control and domestication implied.
On the face of it, your anecdote reminded me of that (apocryphal?) prank that natives played on early explorers: "Will he eat this disgusting food if we tell him it is our tradition? How far can we push him into abject nonsense before his common sense revolts?"
https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfCFR/CFRSearch.cfm?fr=314.80
At its heart I get it — you don't want a company's employees to be burying reports of adverse events. But now the company is liable to ensure such things get reported. And thus they pass this liability onto their employees.
I bet employees feel as disempowered about this stuff as civilians…
how do they respond?
Do you think if you tell an engineer from John Deere that they have unethical practices the are going to complain in the next meeting? Or a Volkswagen person that does care about pollution but will be quiet.
They just look at pay checks.
Any complaints. they just shrug or chuckle ...
The teams are big and finally they cant get involved. IIRC, even spouses of Googlers cant get special access.
At the same time if they did manage to reset account/password/etc that would be the best way to circumvent security.
I'm not. I have the same problem -- or I will if I ever lose my 2 factor identification keys, which are held by Authy NOT by myself. I always assumed that my one-time-codes (which I have carefully secured and protected) would be usable to regain control over my account. If that's not the case, then I want Google to fix it for EVERYONE.
Aegis supports importing from a bunch of apps, as does android-otp-extractor, both need root to do so. Aegis can also import backups from a bunch of different apps.
[1] https://gbatemp.net/threads/extract-your-totp-keys-from-authy-using-chrome.487030/ [2] https://github.com/beemdevelopment/Aegis [3] https://github.com/puddly/android-otp-extractor
If one has the choice, one should never rely on Google for anything, unless one has a fetish for being victim of some algorithm with no way to change it. Most of their tooling is not worth that pain anyway and looks like a thin veil around user tracking. Never forget, that Google is an ads business company and that is how they make their money.
Another thing you can do is to wait for a week and see if anything changes. Having the session last for more than a week may give you more options in passing the challenge.
You can't authenticate some Roku channels as well, such as PhotoView for Google Photos.
Google says at https://landing.google.com/advancedprotection/faq that: >>> If you lose your key and are still signed in on one of your devices, visit account.google.com to add or replace a key. Otherwise, submit a request to recover your account. Google may take a few days to verify it’s you and restore your access.
I've assumed the risk of temporarily losing access to my account if I happen to lose all my hardware keys and devices for some reason while they confirm my identity, but from these posts I think that Google may not be of help at all and I could permanently lose access.
I'm starting to wonder if I shouldn't go back to regular 2FA since I can safely backup those codes.
I've largely stuck with strong passwords for most of my accounts because of issues like these, and others I saw first hand - such as when my dad used to have a password db on a palm pilot. He had no backups, some point the device fails, everything was lost. I only felt comfortable moving to a password db once dropbox became a thing as a result - the balance of security vs. usability is pretty shit if there's a single point of failure with no recovery possible, and I'm not inclined to set up some backup process manually (dropbox has reliably been something I haven't had to think about for a decade.)
2FA feels a lot like that to me, except now with multiple points of failure that can be difficult to recover. Backup codes feel half-baked; it strikes me as the kind of thing that was tacked on to help the issues around hardware failure/human error that one _should expect and design for_; instead, we put the onus on the user with "your account may be unrecoverable" warnings as an excuse.
A better system, IMO, would have N factors and require one less. Keepass is the place where this has bothered me for some time - I can configure things so my db requires a password, and a file, and a Yubikey - but why can't I have two of three? Hell, why can't I have _one_ of two? If I'm in a car crash and die and I want one particular person to cleanup some aspects of my virtual life, it'd be nice if I could give them a key file and let them know there's a Yubikey in a safe deposit box. I feel secure, as no one has all three tokens but me and two are always needed; but I also feel the system is durable, in case something is forgotten, crushed, lost, etc. I dunno, maybe there's people or companies that already do stuff like this and I just don't know about it.
Besides, some services no longer offer 1FA at all. Google seems to require 2FA of some sort no matter what (although maybe that's just my settings?). So it becomes more important to at least weed out the "bad" 2FA like SMS or security questions. I've heard warnings about Google Authenticator before, something about the inability to make backups or something?
The problem is, it's virtually impossible for the average human to remember their password if they have a unique, strong password for every site.
Can a password reset be done with control of the email? If so, email isn't really a second factor.
Set up 2FA with an app called Duo-somethingorother.
Broke my phone.
Trying to use Facebook with new phone requires 2FA. Duo-somethingorother app on the new phone won't authorize my Facebook login because the app on the new phone isn't linked to my Facebook account.
Result: I'm locked out of Facebook
Every year or so I follow Facebook's login authentication steps, including sending photos of my government-issued ID, but nothing happens. Facebook support? What's that?
At this point, all I want to log in to Facebook for is to download the photos from my account. But I'm not in Europe, so I have no rights to my photos and nowhere to complain.
You get what you pay for.
If it makes you feel any better, Facebook doesn't care about the law and Europeans don't have any more luck than you do when it comes to this: https://ruben.verborgh.org/facebook/
I'd like to see an actual lawyer try it and document the effort with similar rigor. I wonder what the response from FB would be.
Keep in mind that the regulator who’s supposed to regulate them is corrupt and complicit so it’s very unlikely anything would work.
I dropped my main phone into the toilet a week ago, completely fried it. Moved the SIM card to my backup phone, and carried on like almost nothing happened. I then powered up my 10-year old Nexus 7 tablet, and duplicated all my 2FA codes to the tablet. When I get a new replacement phone, I will duplicate my 2FA codes again.
TOTP just isn't a good protocol for this. Last-resort 2FA should be based on public key crypto where your last-resort device has a public/private key and you can enroll it as a recovery token by providing the (static) public key - this means you do not need active access to the device to enroll it.
I once broke my phone with Google Authenticator on it and I spent 2 days locked out from my work accounts. Never risking that again.
* for the paranoid, there's a mode where it doesn't backup to the cloud, which makes it function the same as google auth, but that does defeat a lot of authy's benefits.
** https://authy.com/blog/how-the-authy-two-factor-backups-work/
That said, this is probably a business oppurtunity for reverse engineering and recovering the 2fa code from broken phones. I suspect there is a key stored locally, and tied to the device id. If you could get a setup together for reliably extracting/cloning that info, people locked out of essential services would be willing to pay.
I just added:
- SMS - Authenticator app (Authy, of course) - Generated backup codes
That in addition to my Pixel 4, and maybe 3-4 authorized devices (laptop, ubuntu desktop, windows desktop), I feel a bit better about this.
Sorry for your trouble though, I hope you figure it out.
https://blog.silverorange.com/web-authn-ux
I had an old set of YubiKeys which I used as a MFA option for LastPass. In comparison to WebAuthn, the process is dead simple. Input master password and LastPass prompts to touch yubikey. Dead simple with no scary dialogs. I have not seen any website offer an integration with Yubikeys like that. Is that only possible because LastPass was a Chrome extension? Or is it simply lack of demand?
There needs to be a new 2FA standard which only needs the public key of the authentication instrument during enrollment - that way the actual instrument doesn't need to be accessed when creating new accounts and can be kept in secure storage, only accessed in an actual disaster situation.
Absolute madness.
You should have backups on places other than the phone.
I warmly recommend andOTP for managing your TOTPs. It's open source and available on F-Droid.
https://f-droid.org/en/packages/org.shadowice.flocke.andotp/
Thank god I keep 2FA in Bitwarden. I did not realize I'm this close to losing my Gmail. Jesus.
I realize it's paying the people holding the account hostage, just thinking of practical solutions to get in touch with the right support level who could assist.
I encrypt and back up all TOTP secret key, which are used to generate six digit codes, to my local offline password store (usb key and paper). In fact, I mostly used my laptop as the second factor because it is more convenient. My phone also has the TOTP key and in case it is lost, I can just regenerate the QR code.
I keep a cold yubikey in a locked cabinet at work as well as my TOTP secret, encrypted and printed.
The lost productivity dealing with shitty 2FA implementations and the subsequent shitty customer support is enough to build all 7 wonders of the world many times over.
First they present 2FA via the Google Mobile app, and you have to click "Try another way", which makes it feel like something has already gone wrong.
Then they give you the option to the Google App again, to get an SMS message, to use a backup code, or to use "Google Authenticator".
So my instructions to a would-be 1Password user are: Sign in with your email address and password, click "Try another way", and then click "Use Google Authenticator", but don't actually use Google Authenticator; use 1Password.
To export your codes, click top right ... and then "Export Accounts".
Their 2FA login was not working - my logins were rejected.
I think I needed to resync.
The resync pages were not working.
When 2FA breaks, for whatever reason, there is a form you use to let AWS know.
You cannot send a message - only a phone number. AWS will call you back.
Where I was at the time, a phone number was not available.
That was it. End of the road. 2FA not working, could not log in, the Support I could reach could not help. Support suggested "make new account", as of course they do what they can, which means offering options from within their power, and there was nothing they could do (except suggest a new account).
Fortunately, I had no servers running. I don't know what would have happened, if I had.
With email based accounts, the email used to make the account is the email used to recover the password, so making an account also proves the recovery mechanism.
With 2FA, this is not the case.
2FA is absolutely necessary for security, but flawed implementations are I would say much more of a risk than the security issues 2FA defends against.
I am very unlikely to be hacked - I am one in a billion - but if the 2FA mechanism is flawed, it is reasonably likely to affect me.
Large companies are totally unaware of end user experiences, so when for example 2FA recovery is broken, they have no idea this is occurring.
It is dangerous for end-users to rely on large companies to implement systems which can block end-user access to critical systems.
More likely to be framed for someone else's crime (maybe someone uses your AWS account to hack others), because, well, who would miss casenmgreen, right? There are non-obvious reasons people should still use 2FA even if they have "nothing to hide".
Was in a similar situation, having a real backup of every apps data (including the "secret" data) saved me a couple of times.
To get support I would need to upgrade. To upgrade I need to enter my authenticator code. To enter my authenticator code I need to contact support...
Now I keep a key chain with a yubikey on it that serves as a redundant option for 2fa to authenticate my google account, in addition to the app in my phone. I actually have two of them and the other is in a secure remote location. If you are doing anything critical in your google services you must have multiple 2fa options for disaster recovery.
Howto:
... menu in top right -> export accounts
make sure all are selected, select export
It will generate a series of dense QR codes.
Screenshot / photograph / add to backup phone, save and print for your document safe, whatever.
I was a little surprised that it was this easy to extract all the secrets. I'm going to have to think even more carefully about what TOTP secrets go in there now.
Has anyone experienced otherwise with Github?
I wish all platforms modeled their 2FA to be like Github's.
So it seems that the backup is intended that the user purchases a second phone!
The thing I have taken away from these continual Tell HN posts about Google acounts getting locked up because of 2FA is that the "something you have" factor needs redundancy. I now have my phone, and 4 yubikeys on my household's carkeys and a trusted friends and a family member's firesafe. These have also given me enough stress that when I visited home for the holidays I added to my aging parents' Google accounts with a handful of additional security keys to go with their SMS 2FA.
Personally I would rather have accounts which are secure and can be lost if I am not careful with my 2nd factors than one that has vulnerabilities that the whole internet can attempt to exploit, but I realize others do not have that same priority.
I wrote a small cli tool that can export all data inside it, and that tries to generate qrcode images for each entry for re-import into another 2fa app.
I hope this can help someone with the same problem, I got stuck with a camera photo of this seemingly useless qrcode for a couple hours until I built my tool.
Always remember to backup google authenticator, and always make a physical backup of your encrypted passwords database!
If yes, then you might be able to backup google authenticator's data using adb.
Alternatively maybe a tool like scrcpy [1] might be able to help when the screen is broken.
The deeper issue is the situation is kafkaesque. Imagine explaining to a stereotypical elderly grandparent (with minimal computer experience) that you need to configure a 2FA TOTP on your mobile phone and save backup codes in a secure location. BTW don’t lose your phone or you will need to initiate a complex recovery procedure. Oh BTW you need to memorize a 20 character length passphrase along with the 30 other websites you use. Perhaps you could use a password manager, but it will need a 20 character length password and 2FA TOTP as well. Oh make sure you certify the password hashing function and iteration count follows current NIST-800 guidelines. It will need to reauthenticate periodically so don’t forget your password manager’s passphrase. Be sure to make it a sentence and sprinkle in a number and punctuation mark or two.
Oh Back to your original account: It might prompt you to log with a previously known authenticated mobile app at random. There is also a random AI agent scoring how secure your device is and can cancel you at anytime. Oh BTW if you want have extra protection buy this $30 hardware key we don’t advertise. Actually buy two hardware keys and keep one offsite just in case. Don’t use that key use this one. We might drop the other key for unknown reasons. The key might be exploitable since it has Bluetooth so keep it shielded in a faraday cage at all times.
The security policy can change at anytime with no warning or requirements notification update. Do not contact customer service, because you are not a customer but a product being sold at data mining auction. Instead you will need to plead your case on Twitter, Reddit, or Hacker News and pray someone working at the company sees it and is willing to help.
Personally I have Authenticator for day to day use, a Yubikey for restoring access if something happens to my phone, and backup codes.
Took a screenshot of Authenticator's export QR code via the webcam, then added it with Aegis. Then went to Aegis's Settings->Backup and exported a JSON backup, which is encrypted with the password.
That's a bit more peace of mind.
If you lose the phone its easier to recover.