This post doesn’t break any new ground regarding two-factor auth (2FA). It’s more of a reminder and a cautionary tale. It’s also somewhat Mac and Python oriented, but the suggestions should be generally applicable.
If you have a need for higher-than-average levels of security, you probably already have a better system than anything I could suggest. This post is aimed at typical technical users in typical scenarios.
Additionally, I’m not a security expert, so you probably shouldn’t take my advice.
Don’t rely only on apps to store your 2FA private keys.
Always save 2FA private keys somewhere. Don’t just scan the QR code and move on because extracting the keys from an app later is somewhere between annoying and seemingly impossible.
Suggestion: Store 2FA private keys in pass.
Related suggestion: Use a tool like totp to generate codes from 2FA keys stored in
passon the command line. If you’re a developer/sysadmin/etc this is often faster and more convenient than having to have your phone nearby all the time.
Further suggestion: Use pipx to install command line tools like
Always save recovery codes right away:
passfor this too.
Suggestion: Write them down on 3x5 cards and store them somewhere safe. This is tedious and perhaps unnecessary if you use
pass, but this is what saved me from being locked out of a handful of accounts recently.
I also use the macOS password manager to store 2FA keys (but not passwords). It will helpfully prompt to insert a 2FA code for you in some cases, but it’s mainly just another secure backup (assuming you trust Apple).
If you’re not a Mac and/or Python and/or heavy CLI user, there’s an
analog for all the suggessions above. For example, some have suggested
using an offline password manager such as KeePass (or one of its
variants) instead of
pass to store 2FA private keys. The key point is
to set up some kind of system that’s easy for you to use every time
you set up 2FA on an account.
I’ve been using password managers and 2FA for several years and would consider myself an “expert user.” In the early days, I used Google Authenticator, but a few years ago I switched over to Authy, partly to diversify where I store digital information and partly because Authy’s app had a nicer UI (not sure if this is still the case).
A couple years ago, I got a new phone and for some reason had problems merging the Authy accounts/keys from my old phone. There were also several accounts I deleted that wouldn’t go away and others that were duplicated, and I couldn’t figure out how to fix it.
In the end, I changed the email address and phone number for the account on my old phone and set up a new account on my new phone. Then whenever I signed up for 2FA, I’d usually save the codes on both phones (see below).
It wasn’t ideal but everything was fine until…
The Issue That Prompted This Post
Recently, I ran into a severe issue with the Authy app where I opened it up and all of my accounts/keys were just gone—all except the ones for a former employer. At first I panicked, but then I remembered I had everything backed up on my old phone (except, whoops, I didn’t actually).
I thought maybe my former employer had inadvertently “taken over” the account because they still had my phone number in a database somewhere (and I have a vague recollection of reading a post where a similar thing happened to someone else, but I can’t remember the details or which service it was).
This happened a few weeks before Twilio announced a security breach, so I also thought it might have somehow been caused by that, but I didn’t get an email from them about the breach, so it probably wasn’t that either.
I have to give Twilio/Authy credit for having support that responds in a reasonable amount of time, but on the other hand I couldn’t get any useful info about how all my keys/accounts could simply disappear from the app.
Perhaps it was a bad app update or something along those lines?
After going back and forth with Authy support for a couple weeks and “recovering” the account (quotes because nothing was actually recovered), I gave up, deleted my Authy account, and started using a different app.
To say the least, it’s a bit disconcerting when something like this happens and there’s no explanation. I don’t blame the support tech, though. They probably either don’t have enough information or are told not say anything which would indicate the company is liable.
And it turned out that I actually hadn’t saved all the keys on my old phone and so I had to use recovery codes to log into a handful of accounts (those 3 x 5 cards really saved my ass here).
A System That Works For Me
In the process of moving to the new 2FA app and having to reset 2FA on several accounts (super tedious and no fun), I formalized the system mentioned above:
When setting up 2FA for an account, find the private key string and save it in
pass(or KeePass or whatever) first, before scanning the QR code.
Then scan the QR code in the app, double checking that the codes match by using
totpon the command line.
If you don’t add the key to your 2FA app at this point, that’s okay (or at least less bad) because you can always add the key saved in
passto one or multiple 2FA apps later.
Going in the other direction, many apps don’t seem to have a way to view the key, so if you don’t save it first, it might be hard or impossible to recover without resetting 2FA on the account.
When the recovery codes are presented, save them in
passand write them down on a 3 x 5 card.
For extra peace of mind, save the 2FA private key in a separate password manager such as Bitwarden or the macOS password manager. I prefer to keep passwords and 2FA keys in separate password managers, but that may be overkill.
Many details are elided here, such as setting up
pass, backing up your
pass repo, etc as those details are outside the scope of this post.
In addition, you can of course use your 2FA app’s builtin backup system, but when it comes to important accounts where losing access could be devastating, those backup systems aren’t sufficient by themselves in my opinion (because cloud-based systems can lose data without warning or explanation).
Whenever the subject of passwords or computer security comes up, I always suggest to non-technical users that they should use a password manager.
When it comes to 2FA, though, it’s harder to recommend because there’s some discipline involved in backing up private keys and saving recovery codes, and it would be relatively easy to lose access to an important account. Even as an “expert,” the system I used previously was flawed (partly because I didn’t always follow all the steps).
I’m not sure what a good solution to this is. I think for most non-technical users, using a password manager with random passwords would in itself be a huge step forward.
Comments, Corrections, Suggestions
This blog doesn’t have a comment system, but you can send feedback via the contact form on the home page and I’ll add your comments to the post (if you want).
As noted above, I’m not a security expert, so if you have any corrections or suggestions, I’d love to hear them.