[daphneokeefe]

Can someone explain how TFA (or any security feature that relies on my phone) works when the phone is unresponsive -- dead battery, no cell or internet reception, hardware failure.

[daphneokeefe]

I am interested in how frequent travelers manage these security measures (especially abroad). For SMS: quickly obtain a burner phone, log in to Chrome, something something SMS or Authenticator? For Authenticator: log in to Chrome on any machine you can locate that you can trust? For the printed backup codes, you carry them with you as you travel, and through security?

I am trying to develop a security process that I can rely on. It only has to be better than what I have now, it doesn't have to be bulletproof.

[txcwpalpha]

When possible, I completely avoid services that use SMS 2FA. If given the option, I always opt for authenticator apps or codes-via-email 2FA, in that order. I use SMS 2FA so infrequently that I've never encountered a situation where I needed to get a code SMSed to me while abroad.

I store my printed backup codes for most of my services in an encrypted file in my Dropbox (encrypted with a different password than the password used for Dropbox).

I then also have printed backup codes for my primary email account and for my Dropbox account that I carry with me on an unmarked piece of paper stashed deep in a semi-hidden pocket in one of my bags. I also have printed backup codes for my email and Dropbox stashed in a semi-hidden place in my home, with the thought that in a last case scenario (or I lose my bags or something like that), I can phone my roommate and have him read me the code.

It isn't perfect and I feel like it could be improved, but so far it works fine.

[mattjack]

It won't--so you'd have to use the backup methods they made you set up, like SMS codes, Authenticator, printable backup codes, etc.

[krzyk]

SMS and authenticator won't work on a dead phone either, so you are left with keeping a paper with backup codes.

[henryfjordan]

Or a second key.

What happens when your first and only Yubikey gets dropped in a puddle? You're also back to paper and backup codes.

[macspoofing]

>so you are left with keeping a paper with backup codes.

It's not magic, there isn't any other way.

[macspoofing]

Yes. You need an alternate backup mechanism, like pre-generated one-time codes, or (shudder) SMS.

[arnarbi]

The feature described in the article will work when your phone is offline. We'll publish instructions soon on how, but it will e.g. involve manually waking the screen to trigger the local communication.

Of course it won't work if your battery is dead. :)

[wetpaws]

U2F fits into this scheme nicely

[Rafert]

WebAuthn is the successor to U2F. This is just another transport (caBLE/"cloud assisted Bluetooth") for this standard in addition to NFC, USB and a direct connection to a Bluetooth authenticator (e.g. Feitian and Google Titan key).