How Do You Back up Your Two Factor Authentication/Multi-Factor Authentication Codes?

Title pretty much says it all.

So you've turned on TFA for your most important account, Ozbargain, and downloaded your recovery codes. Now what? How do you prevent losing access, while maintaining the security of your account and the backup codes? In the case of catastrophic loss of everything except the clothes on your back, how do you get back into your account so you can ask if your public BBQ usage is justified complain about speeding fines let us know about a bargain you've spotted?

I use Aegis on my phone for TOTP wherever I can (looking at you, banks!). I have downloaded all the backup codes, as well as backed up the encrypted Aegis dump, but they are stored on a cloud drive. I'm concerned that's not ideal, because that account has TFA on it which uses my phone too which seems to be somewhat circular. My two key accounts are Gmail/Google and my password manager. Once in there I reckon I can pretty much get into anything else.

My other consideration is that my wife is not very tech savvy, and I don't want to saddle her with confusion and frustration on top of potential grief if she needed to get into my accounts without my assistance.

Comments

  • +1
    • +1

      What if you lose your phone and forget your iCloud password and forget your email gets hacked, how will you log into OZB then?

      • HelloPam2 account isn't taken.

    • Talk me through how your recovery process works? Say your house burns to the ground, and in your shock, you drop your phone and break it beyond repair.
      So you have no phone, no computer, nothing. Do you only need a username and password to get into your iCloud?

      • -1

        Setup an account recovery contact with apple. By the sounds of it you should do so right now.

        • When I have a reason for an Apple account I'll make sure I set up a recovery contact

      • +2

        You can access your iCloud content from any device in the world via https://www.icloud.com with your username and password.

        You can also share iCloud content with others and especially so if you have a Family account setup so you and wife can have shared contacts, calendar, photos, drive files, notes, reminder, documents, even Find My iPhone access if say it gets stolen. You can limit what and how much content is shared, doesn't have to be everything too.

        Don't have any device at all? Pop into an Apple Store and they'll help you with a "borrowed device" to access your Apple ID.

        Seriously. https://support.apple.com/en-au/HT201487

        Or ask a friend/neighbour/colleague to download the Apple Support app and access your account on there leaving no trace behind when you logout. If you get stuck, you can live message a real Apple support person to help too.

        https://apps.apple.com/au/app/apple-store/id1130498044?pt=20…

        • So you can bypass TFA on your Apple account by going into an Apple store and using a device there (presumably under their supervision)?
          One one hand that's cool, but on the other hand, that sounds like it could be social engineered…

          • +1

            @moar bargains: You can't bypass 2FA but there are several methods to validly authorise access through verification codes, trusted devices or phone number text.

      • +1

        Talk me through how your recovery process works? Say your house burns to the ground, and in your shock, you drop your phone and break it beyond repair.

        Take the sim card out and put it in another phone, can still be used for 2FA to mobile number.

  • +1

    Microsoft Authenticator on iPhone. Authenticator backs up to iCloud.

    I have my MS account signed in and linked with a couple of Windows devices via biometrics (encrypted HDD of course) with enough ID in the cloud to retrieve a SIM card from my telco if need be - this is also in iCloud with a recovery contact.

    Apple and MS will use SMS as fallback.

  • +5

    In the case of catastrophic loss of everything except the clothes on your back, how do you get back into your account

    Keep a copy of all your codes on your t-shirt.

    • +3

      Surely printed on the inside tho

      • +3

        Invisible ink?

        • +1

          I’m afraid that the UV light used to expose the invisible ink print on said shirt, will also also expose, ummm, moar than we bargained for

        • +1

          Yes, invisible ink that only becomes visible upon profuse sweating associated with catastrophic loss of everything but the clothes on your back. That also means you are not wearing underwear so make it a long t-shirt.

  • +4

    10USD per year and use Bitwarden to sync passwords and TOTP everywhere.

    • Why need to pay? Its free

      • You can't use Bitwarden for TOTP codes with the free version

        • +1

          You can if you host it yourself. I’ve self hosted Bitwarden for years now and love it. All my MFA codes are in there so I know they are safe. I do a daily offsite backup as well. I appreciate this isn’t for everyone though.

          • +1

            @rbrb: I have the skills and ability to do this, but I'm not convinced I could do it for USD$10 a year so I just pay them to do it.

  • +2

    I don't understand what you're talking about but am curious. All 2FA that I've ever used sends me a 1-time code or popup on my phone.
    I've never heard of a "backup password".

    • Yeah so normally to set up those pop up codes on your phone, or the SMS one time codes, you need to register your phone with the account. So my question is "What is your plan to get into your accounts that require a text or whatever if you can't access your phone, to get those codes".

      Sms is probably the easiest one, because you can contact your phone provider and organise another SIM I guess, but the "pop up on your phone" codes are software based, so harder to recover. Usually these accounts will give you some "single use codes" that you're supposed to save somewhere safe in case of the above situation. My interest is in what people do with those codes, or what alternatives they have in mind as plan B.

  • +1

    I'd expect most password managers would have a recovery option. With 1Password there is a single sheet you can print out and use to re-access your account in the case you lose access to all your devices. You will still need your master password + the info on the recovery sheet. Storing this recovery sheet off-site would be important.

    • Yeah, that's essentially what I've done. Printed my Bitwarden backup codes and stored them with someone I trust who is far enough away not to be likely to be impacted by the same hypothetical disaster as me, but close enough that it's not too difficult to visit and get the codes if needed. My Google account has several options for backup TFA, including SMS and phone call.

      • Does Bitwarden do 2FA codes then? Because this seems a good option rather than a separate app.

        • +1

          If you are on the paid tier.

  • +1

    Authy syncs between the phone & laptop. Laptop & other devices in the home are backed up to a hard drive, which is rotated off-site once per week. Phones are backed up to iCloud. So, if whole house burns down, we still have copies elsewhere. Difficult & slow to restore, but possible.

    • I used, liked, and recommended Authy; but I'm slowly taking control of all things digital of mine and moved to Aegis myself.

      Like OP, I've used it's inbuilt vault backup; although I've backed up that backup via Syncthing.

  • +2

    Use stick-it notes on the car dashboard

Login or Join to leave a comment