| I'm really sorry for the situation you find yourself in and agree that it sucks. I'm replying because I want to mention that it is possible to use 2FA without any form of vendor lock-in (although I realize this doesn't help you retrospectively fix your existing issue). I'm not trying to be a wise ass, I just want to share some pointers for folks who are interested in avoiding or remedying this problem (which is a bit of a tricky problem). I've been using pass (https://www.passwordstore.org/) for quite a few years now and it allows to use multiple GPG keys to encrypt secrets in different subfolders. So I have a default GPG key that encrypts all my regular passwords, protected by a master password that is easy enough that I can regularly type it in on my smartphone. Then I have a second GPG key with a much more complicated password that I use to encrypt my 2FA secrets (strings like "FX5D MJE8 F9F9 XFE0" that can be used to "seed" apps like Google Authenticator). These 2FA secrets I never access on my smartphone, I only access them on my laptop where I have a proper keyboard to type in the absurdly long password required to unlock these. I wrote a small Python script that takes a 2FA secret and uses it to generate a TOTP URL that is then fed to "qrencode" (a command line program available on Linux and MacOS) which renders a QR code that I can scan into a TOTP app like Google Authenticator (like if I was first signing up for 2FA via the original website or service, the only thing that changes is who generates the QR code and when). Because I saved the original 2FA "seeds" (my term, not sure what the proper term is here, but it's akin to the seed you feed into a random number generator) I can regenerate the QR code whenever I wish, which means that if my smartphone dies and I lose the 2FA secrets loaded into Google Authenticator, I can take an empty new smartphone, install Google Authenticator, and rescan all of the QR codes that bootstrap my 2FA sequences via my laptop. The other side (the website or service where I enabled 2FA) never needs to know I went through this procedure, in fact fundamentally it cannot know. I've been using this same scheme to share 2FA codes with a team of system administrators so that we can properly protect e.g. AWS root accounts while still providing multiple individuals access without being tied to a single smartphone or 2FA app. So long story short, it is possible, although admittedly (my way) it does require some cobbling together of different tools in order to get a workflow that handles this smoothly. But I sleep better at night knowing that all of my important accounts are protected by 2FA yet I can never be locked out of them, even if I lose my smartphone or laptop (the actual password store git repository lives on my server where it is backed up to several disks every couple of hours). |