Hacker News new | ask | show | jobs
by estaseuropano 1557 days ago
Not true.

I lost access to gmail because of 2FA - Google Authenticator to be precise.

One random sunny day my 2 year old bit in my phone, thereby breaking it. A few days before i had reinstalled linux and apparently had not yet logged into gmail. So suddenly I have only unrecognized devices and no authenticator. Despite living in the same place, using the same wifi, etc, I simply cannot get back in since then. Its been years with dozens of attempts from any possible 'known' device, but there simply is no way. I know the password, I know previous contacts, i have old emails, i have the password, ... But even when I enter all the info Google requests for account recovery I simply get a screen saying they will get back to me - and never do.

My fault for not having a backup sheet of codes, but I was too worried someone would find and abuse that sheet. Well, goodbye 10 years of email.
4 comments
Fogest 1557 days ago
I keep a backed up list of all my 2fa codes in a password/key encrypted storage. I am trying to avoid the kind of situation you described. I have A LOT of accounts with 2fa now, and losing access to the 2fa app would be an incredibly frustrating issue as I would lose access to many accounts.

At one point I actually had a couple backup codes for some important accounts in my wallet, such as to my email. My thinking was that if I ever lose my phone and need to login to my Google account on someone else's device I would at least have access to some backup codes to get me in ASAP.

link
doliveira 1557 days ago
I think the threat model for most of us is online takeovers, not physical ones. Even if you live in a dangerous country like myself, criminals don't care about your email, so I don't think there's much danger in just storing the 2FA backup codes in your wallet. They're only good for when they've already input your password, aren't they?

But I'd appreciate if someone from cybersecurity were to weigh in. What are the best practices for 2FA backup codes?

link
rntksi 1557 days ago
A few things I would try in that situation:

- recover the files on the phone, esp. files that have google authenticator cache/dbs/secret keys and transfer that to new device

- see if any token using google account is still able to perform activities and work from there

to avoid this next time, use Authy (it works the same as google authenticator and works anywhere they tell you to use 2fa with Google Auth, but it allows you to install it on multiple phones and desktop/web login too)

link
jonny_eh 1557 days ago
That's a huge inconvenience, but at least it wasn't stolen.
link