Just a Heads up for those with Token-based 2FA
What is 2FA?
For those who don't know, two factor authentication (2FA) is a security basis that provides an extra layer of security when logging-in to an online service.
Authentication can occur through the following:
- Something you know (maybe a password or your dog's name)
- Something you have (a security code of sorts or ID card)
- Something you are (maybe your fingerprint or retina map)
Most people just have their password (a single knowledge factor) which they use to log into accounts but some people prefer an extra piece of mind through an additional security code via SMS or in the case of this post, the Google Authenticator Application. In the case of mission critical servers, all three of these factors or even more could be used.
2FA I would recommend as almost a necessity and token-based authentication is one of the best ways to go because basically no one can log into your account without being able to access your phone. (But please be aware that SMS-based 2FA is very flawed provided the recent targeted attacks on people holding crypto)
How Token-Based Authentication Works (at the most basic level)
An online service generates a secret code that is shared only between you and the service.
You and the service then use the code with the help of some mathematics to create totally random sets of numbers which are the same for both you and the service.
When you provide the number when logging it, the service will check to see whether it is the same one they also have, and if so, you will be securely logged in.
The following is a great computerphile video that says it all:
The Problem
This little beauty is (was) my phone and I've had it for so many years I forget how long... He will forever be missed ;(
Mourning aside, this is also the only place where I stored my 2FA codes in the Google Authenticator app which was unfortunately to my demise when my phone randomly froze up and got into a boot-loop this morning (constantly trying to restart itself and failing).
After a little research, I was not the only one with this issue. In fact, this is a problem with the majority of Nexus models as the soldering job for the CPU was shoddy for many models.
Disregarding bad manufacturing practices, access to my 2FA tokens was lost! I couldn't access any of my exchange or Google accounts!
I needed to get those codes back so I can disable security and get back into my accounts, else I'd have to be making a lot of embarrassing phone calls to get this thing fixed.
My Solution
Funny enough, I had the idea before the guy in this post had it, which was to put the phone in the freezer for a bit. Given it was a hardware problem due to heating, cooling it would cause the components to contract and form better connections right? Maybe, but in this case I was lucky and got my phone to chug out one last breath of life so that I could get to the app and disable 2FA on all my accounts.
What you can do to better Protect Yourself
1. Securely backup your phone:
With a phone backup, you don't have to worry about losing it because you have access to everything you need in a convenient file or service. Personally I don't trust "cloud" or other forms of online backups and if I had taken some more initiative, I would have made a personal and secure local backup.
2. Use multiple devices to store 2FA codes:
Having access to these codes only on one device puts it at risk like mine, what if it fails? Fortunately you can use this app across many devices so you are safe if one fails.
However you should keep tabs on what the secondary device is doing, because if you choose, say, a family member to hold the extra codes, what if their devices are compromised? You could be at greater risk, so please be cautious.
3. Use alternative sign-in methods:
This is not always possible but for many of the larger corporations such as Google, they provide many alternatives to signing in which can be a life-saver if you are in a situation like mine.
Some examples of this might be logging in through a prompt on your phone or using some security questions or backup/one-time codes.
Thanks for reading and I hope no one runs into the same issues. Stay on your toes and keep your backups up-to-date people!