[segfaultbuserr]

This is the most tricky issue about 2FA: who's going to authenticate the authentication system? From what I've seen in practice, if an account is lost, there are two primary ways for recovery.

(A) Secret key. When a user is setting up 2FA for his/her account, the system generates a secret passphrase/QR Code as a crypto key, with instructions for user to write it down or print it out, then store it at a secure location.

(B) Manual review. The policy of a hosting company I use, is that when a 2FA-protected account is lost, the user must submit a national passport and proof of payment to reset the account manually.

And if user wants to add a new device.

(C) Send a challenge to the original device. If the system is in form of an app, it's as easy as showing up a Yes/No warning in the app: someone is adding a new device to your account, do you trust it? This is commonly used for various chat apps.

However, all the methods are not going to work for your use case, as the user wants to bypass the 2FA when setting up a new device... Currently, I don't see a satisfactory solution, otherwise, it effectively opens up a loophole and nullify the advantage of 2FA.

Let's see what other readers are saying.

[nindalf]

A. OP's original problem is that users aren't noting down the secret when they're requested to.

B. Manual review works, unless there is a sufficient incentive to break it. Here's an example of PlayStation Network struggling with hackers disabling 2FA via customer support - https://waypoint.vice.com/en_us/article/43ebpd/the-long-weir...

C. If a user is resetting 2FA then most likely they've lost the device on which they had the authenticator app installed. If they still had access to it, authorizing them to perform a 2FA reset would be trivial.

D. Reset via email is the most commonly used one. It's scalable, unlike manual review. Less secure, arguably.

> This is the most tricky issue about 2FA: who's going to authenticate the authentication system

100% agree here. It's a hard problem.

[segfaultbuserr]

> B. Manual review works, unless there is a sufficient incentive to break it.

In my example, there is a sufficient incentive for an attacker to break into a server though the 2FA loophole, since there are valuable assets hosted on it. This is why my hosting provider requires users to obtain and submit all the paperwork, which must be corresponded to the address in payment information.

I'd summarize the disadvantage of manual review as low-efficiency: as a casual player, I would feel ridiculous that a company requires my utility bills and passport to reset my gaming account. I'm sure a rigorous identity check was not performed your the PSN example. Poor scalability: the number of accounts is much higher in a game than in a professional service like hosting or payment. Humans need to do all the works. And prone to social engineering.

[naravara]

>D. Reset via email is the most commonly used one. It's scalable, unlike manual review. Less secure, arguably.

What's the argument that it's not any less secure? That seems like a pretty obvious conclusion to me.

[totallyashill]

Password reuse and 2FA enforcement.

Although, we at HN are the shining tier of amazingness (/s), most people will use the same password across as many accounts as they can, or use some dirivation of the password.

The bigger issue is that plenty of people don't enable 2FA onto their emails as it's never really suggested by the providers, some just don't support it, and the fear of getting locked out of something so central.

It's better than SMS 2nd Factor though.

[mont]

Gmail at least (sort of) pushes 2fa with their 'security reviews'.

[rzzzt]

GitHub has 16 recovery keys which you can print in advance, and use if you don't have your authentication device at hand. They are also retrievable from the account's security page at any time.

https://help.github.com/articles/configuring-two-factor-auth...

[lclarkmichalek]

They'll also reset it if you have the ssh private key for one of the public keys you've registered on the site

[jiveturkey]

doesn’t work / N/A for the OP. recovery keys require the user to do something in advance of reset. his users won’t do that.