Hacker News new | past | comments | ask | show | jobs | submit login

how did you loose your 2FA device?

this is what scares me the most about using 2FA.

github for example says if 2FA is lost there is not way to recover.

i have lost a phone number before... and although github also supports other 2FA devices, such as a rotating key app which can be on multiple devices, you have to set up all devices at once. so i can put it on my laptop and my phone, but not my home and my work computer unless i carry one to the other place. phone and laptop is not enough. if i use my bag, both are gone. and i'd have to reset all devices if i ever want to add a new one. at that point i am more afraid to loose access through stupidity than through theft.

no thanks.

greetings, eMBee.




> this is what scares me the most about using 2FA.

My solution for TOTP/HOTP 2FA (aka "Google Authenticator"-2FA) is quite simple:

I print out the QR codes used to activate the 2FA, and keep them in a safe. That way I can always re-activate the 2FA on a new device, and it's still just as secure (because, if an attacker can break into my home and break open the safe, they could just as well take my phone with them)


Last I checked GitHub actually lets you turn off 2fa if you can use an associated SSH key to sign a message?

Not entirely certain but support staff definitely turned it off for me once I lost my phone number.


oh, that's a relief. good to know. thanks.


A very valid concern- I was in a serious vehicle accident this year and it took weeks for all of my keys and possessions to make it back to me. Luckily I didn't need 2FA for my email or insurance.


That's what the backup codes 2FA provides are for, no?


I've lost those in the same theft as I lost my 2fa device for github. Not going to store them outside of my password manager for github again.

So why do I use 2fa for github? Because organizations require it.


There are still benefits of 2fa even if codes are stored in your password manager. It protects against most keyloggers. It probably makes phishing a little less likely (because most websites cache 2fa, so you'll be a little more suspicious when asked for it by a phishing site). It protects people who use weak or reused passwords. Sometimes it causes support staff to be more careful with regard to social engineering.


When adding 2fa I add it to authy on my phone and to my pebble (which has significantly better battery life than my phone).

Authy allows backups though I've never tested this.

I also keep recovery codes for critical services in case all else fails (just don't forget to NOT put that behind 2FA cos circular dependency)


For what it’s worth, when i switched phones my Authy app went out of sync. It was a work account so I just had my boss reset my 2fa, but if there isn’t a way to re sync you may be out of luck.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: