When Two-factor Authentication Goes Wrong

For National Cyber Security Awareness Month, we are resharing some of our most popular cyber security blogs from the past year to ensure you are staying #CyberAware online - whether at home or in the office.

I am a strong advocate of two-factor authentication, but when it goes wrong, you can lose access to critical systems. I have written about the benefits of two-factor authentication (2FA) here and I discuss it every time I teach Learning Tree's System and Network Security Introduction.

A recent account lockout hasn't diminished my support for 2FA, but it has made me more aware of one of the allied issues.

phone showing code with + to password

The goal of 2FA is to make the authentication process stronger: to remove the reliance on just a username and password. The "second factor" often takes the form of a biometric (e.g. a fingerprint) or a token (perhaps a smart card, badge, or small fob). Enterprise 2FA often uses a device with a number that changes with some frequency, while many websites use a software device that does the same.

In an enterprise environment, when an employee loses a token it can be replaced by an IT or HR department with little or no fanfare, but as I discovered recently if one's website auth app fails and the website's secret is lost, recovery can be cumbersome. Before I relate my story, I want to remind you that the goal of 2FA is to make authentication stronger.

cyber security identity management training

My Tale of Woe

For the last few years, I have been using a website that allowed two-factor authentication. I enabled 2FA shortly after signing up and used Google Authenticator to generate the codes for authentication. It worked well as long as I had my phone nearby, which I usually did. Two subsequent mistakes on my part meant that I was locked out of my account!

The first mistake was not changing my phone number in my profile on that account. When I'd signed up, my business had a traditional wired landline. We switched to a VoIP service a couple of years ago and the number needed to change. I notified clients and friends, but I never thought that this site had my phone number.

The second mistake was that I upgraded the Android OS on my phone. It is admittedly an older phone, but it works well so I keep it. It is the phone with the Authenticator app. I backed up the phone and all the data (I believed) to my PC before the upgrade. Unfortunately, the backup did not back up the secrets for the Authenticator app.

When I realized I needed 2FA to get into the website and discovered the app no longer generated the codes, I contacted the site for help. They said they'd call my number in my profile to verify it was me (they'd already texted my mobile). I explained I no longer had that number, and that's when things got difficult.

They sent me a form and a list of required documents I had to copy and send them. The form had to be notarized and the documents required were very specific. To add to the complexity, it was late Friday afternoon and none of the notaries in my small town were available until Monday.

After scanning and emailing all the forms and copies, my account was restored Monday afternoon and I was able to use my account that evening. It was a painful process, but since the goal of 2FA is to make authentication more secure, I cannot fault the company.

There are three lessons here: 1) keep your website profiles current, even if you don't use 2FA now, they might want to verify your identity for other reasons, later; 2) back up your 2FA app information, and verify that backup (even enable another device if you can); and finally, 3) even though it can be difficult to recover, 2FA does make for stronger authentication.[:uk]For