Steve Haroz (@sharoz on 🐤)I'm hesitant to use 2FA because I'm worried I'll be locked out of everything if I lose my cell phone. And if something bad happens where my laptop and phone are broken or stolen, I'd definitely be locked out of everything forever.
Jenni S@sharoz Also, as I am discovering, if you travel and use a different sim they become a major PITA
@jcurries Definitely. That's another example that just breaks 2FA.
Gregor Aisch@sharoz there are Authenticator apps that allow you to backup the 2FA accounts on a cloud account so you easily can restore them on a different device. Opens another attack vector, but prevents you from getting locked out.
@gka Except many cloud accounts need 2FA 😬
@sharoz some also provide you with backup codes in case you lose the device. I think that's a solved problem, right?
Although I wouldn't know where my backup codes are if that happened to me, to be fair 🤔
@sharoz another solution are full phone backups, e.g. iCloud backups for Apple devices. They let you restore all apps including the authenticator apps, right?
Silver MooseIf by 2FA you mean the web site sends you a code via text, yeah that's shit. But if you mean use of a real authenticator app, it's much better than you might expect.
With "standard" authenticator apps, like Google Authenticator, you can write down the "secret" used by the app for a particular web site, and put it into a new phone later if you ever need to. And those apps all use the same algorithm, so you don't even need to use the same app later.
So you'd only be locked out permanently if for some reason you simply can't get a new phone.
And they don't rely on the phone number in any way -- you don't even need to have a SIM card installed to use them. You only need the battery installed.
The only difficulty I've seen is that you have to record the secret WHEN YOU FIRST SET UP 2FA. So copy it and paste into a note in your password manager for that web site.
Or take a picture of the QR code used to program the authenticator app, and save that photo somewhere safe.
I said:
"And they don't rely on the phone number in any way -- you don't even need to have a SIM card installed to use them. You only need the battery installed."
That's not quite true. The codes are time based, so your phone has to be set to the right time -- within just a few seconds. I don't know if most phones are capable of doing that via WiFi, or if they rely on having a SIM installed to do that bit.
@SilverMoose yeah, I'm familiar with authenticator apps. I'm way more worried about losing the backup code to an authenticator app than I am about my account being hacked into.
That's why I like to put it into my password manager. If I were to lose that, I'm totally screwed anyway, so I keep way too many backups of it in different places. So I'm pretty sure I'm not going to lose that backup code.
Deborah Apthorp@sharoz our uni makes us use it for everything. My colleague left her phone at home one day and basically couldn’t work.