top | item 18180574

(no title)

tjbrennan | 7 years ago

I recently lost access to my two factor authenticator. I had saved most but not all of my recovery codes. I was surprised that a couple of websites I didn't have recovery codes for allowed me to disable 2FA after login but before authentication. It saved me from having to contact support, but it seemed to defeat the purpose of 2FA.

discuss

Thriptic|7 years ago

This happened to me as well with Uber. They use SMS 2FA and didn't provide any backups. I left my phone in an Uber and I couldn't log into my account to notify the driver because 2FA was in place. I also couldn't contact Uber about the issue because they try as hard as possible not to provide customer service mechanisms for people to leverage.

At the end of the day I had to use another friend's Uber account to contact Uber and explain the situation. They disabled 2FA and let me back into my account. I suppose Uber could validate the GPS position of the driver and my phone and use that to validate my story, but I doubt they went through all that trouble :(

achompas|7 years ago

This was not my recent experience with Uber's 2FA at all.

I had purchased a new phone, but lost cellular service and couldn't authenticate into Uber. I found contact info and they asked me to verify my recent ride history (including fares, times, and destinations) before disabling 2FA for me.

reymus|7 years ago

>I suppose Uber could validate the GPS position of the driver and my phone and use that to validate my story, but I doubt they went through all that trouble :(

For that, I assume they would need to have tools built for that specific purpose, with security/audit in place. I doubt any support guy could just randomly query for GPS data for drivers/users.

em-bee|7 years ago

how did you loose your 2FA device?

this is what scares me the most about using 2FA.

github for example says if 2FA is lost there is not way to recover.

i have lost a phone number before... and although github also supports other 2FA devices, such as a rotating key app which can be on multiple devices, you have to set up all devices at once. so i can put it on my laptop and my phone, but not my home and my work computer unless i carry one to the other place. phone and laptop is not enough. if i use my bag, both are gone. and i'd have to reset all devices if i ever want to add a new one. at that point i am more afraid to loose access through stupidity than through theft.

no thanks.

greetings, eMBee.

kuschku|7 years ago

> this is what scares me the most about using 2FA.

My solution for TOTP/HOTP 2FA (aka "Google Authenticator"-2FA) is quite simple:

I print out the QR codes used to activate the 2FA, and keep them in a safe. That way I can always re-activate the 2FA on a new device, and it's still just as secure (because, if an attacker can break into my home and break open the safe, they could just as well take my phone with them)

plorntus|7 years ago

Last I checked GitHub actually lets you turn off 2fa if you can use an associated SSH key to sign a message?

Not entirely certain but support staff definitely turned it off for me once I lost my phone number.

dharmab|7 years ago

A very valid concern- I was in a serious vehicle accident this year and it took weeks for all of my keys and possessions to make it back to me. Luckily I didn't need 2FA for my email or insurance.

expiredtofu|7 years ago

That's what the backup codes 2FA provides are for, no?

avh02|7 years ago

When adding 2fa I add it to authy on my phone and to my pebble (which has significantly better battery life than my phone).

Authy allows backups though I've never tested this.

I also keep recovery codes for critical services in case all else fails (just don't forget to NOT put that behind 2FA cos circular dependency)

Buge|7 years ago

2FA is usually to protect you against your password being stolen. If that's the only threat model, then it's fine to allow 2FA to be disabled without a new 2FA code, as long as it's from a device that has entered a 2FA code at some point in the past.

There are other potential threat models though that would require a re-enter of the 2FA code to be safe, such as cookie theft, or temporary computer compromise. Both of these though seem less likely of attacks.

fragmede|7 years ago

> It saved me from having to contact support

This is not an insignificant consideration. Companies track support calls (call volume - and their reported reason, is monitored closely) as a matter of business. I have heard companies going back on enabling two/multi-factor auth, once realizing support volume goes up. (Which is silly, because of course it goes up compared to not if you didn't allow it before.)