Catch twenty two-factor
Or, how I got locked out of all my accounts, and got back in again
Programming note: I’m back on a laptop after a couple weeks of device-hopping, so hoping to resume regular and more frequent posts from hereon out. Apologies again for the lapse in coverage, all I can say is it’s been a real mess, would not recommend being robbed abroad.
One of the many problems with having your phone and laptop stolen at the same time is that, if you use two-factor authentication and those are your ‘trusted’ devices, it effectively locks you out of your accounts. This is what happened to me in Berlin the night a thief made off with my backpack. I suddenly was unable to access my email, Apple ID, or any other accounts. It was a personal digital blackout.
A bit of background on my setup: I’ve had a password manager for many years (1Password) and two-factor authentication (TFA) on most eligible accounts. I use unique passwords and know the important ones by memory. I have an authenticator app (Authy) for accounts that support it, but other tokens go to text, email, or push to an existing trusted device. By trusted device, I mean a device you’ve previously logged into with two-factor authentication and that is digitally linked to you.
Historically this setup has served me well. When you have as many logins as modern digital life requires, you at some point have to choose between using the same or similar passwords for many things, or unique passwords for most things. The latter is more secure but fairly impossible to store in your brain, which is where password managers come in. Instead of remembering—and generating!—each individual password, you have a super secure master password that unlocks all your other logins.
This is all well and good until you lose access to your password manager. Tough luck logging into your accounts without your passwords! Even if you do know some of them by memory, if you can’t receive your TFA token to authenticate the login, you’re still out of luck, like I was after my stuff got stolen.
A lot of people have written to me to say something like “what happened to you in Berlin is my personal tech nightmare” so I’m here to give you the good news that I was able to get back into all of my accounts. It took me about 36 hours to regain access from when my things were stolen and 24 hours from when I returned to London and could access my external hard drive, a computer, and a phone. Not long in real time, but an eternity in stress and digital angst.
Before I tell you how I did it, though, some KEY TIPS:
🔑 Save your password manager’s emergency access kit. Different password managers offer different mechanisms. If you use 1Password, this is a PDF document with the details you or a trusted friend or family member would need to sign into your account from a new device. If you use a password manager and don’t have your emergency kit stored somewhere secure, stop reading this email and go do it right now. 1Password recommends storing your recovery plan in a few ways, including printing a copy to keep in a safe deposit box or giving a copy to someone you trust. You can also develop a plan to store the details in the cloud, but be strategic since this information is essentially the keys to your entire digital life. I had digital copies of my emergency kit but after this will be filing a hard copy away for the future.
🔏 Write down backup codes and store them somewhere safe as well. Critical services often offer the option to generate one-time use recovery codes, which you should consider generating for your most crucial accounts. For example, Google provides backup codes that you can use to sign into your account if other TFA methods fail. You can generate backup codes in the security settings of your Google account. Google gives you 10 at a time, each good for one-time use. I keep my backup codes saved in 1Password and mark when I’ve used them, but now think it would be good practice to have a hard copy stored somewhere safe too.
💁♀️ Set up an account recovery contact on your Apple ID. If you use Apple stuff, your Apple ID is the key to managing your account. You need it to log into iCloud, use Find My to track and locate lost devices, authenticate purchases, and so on. Apple tends to manage TFA by pushing the verification code to another trusted Apple device, if you have one, or to your phone number. In recent years, however, Apple has added new account recovery options, including to designate a friend or family member as a recovery contact. As Lifewire points out, using this option does create a new potential vulnerability for your account, so you have to weigh that risk, but having lost all access to my Apple devices while traveling I will definitely be setting up a recovery contact for future emergency use.
Ok. Great. Now for what actually happened to me.
At first I couldn’t do much of anything. Without my phone or computer, I wasn’t able to get into any important accounts (email, Apple ID, bank, etc.) because of the two-factor dilemma. I used my friend’s phone and computer to reach out to a few friends and family, and to print a copy of my boarding pass at the Berlin airport (surprisingly difficult!). On the flight back to London I took a lot of deep breaths, read a copy of TIME magazine from one of those airport book stores, and prayed that my 1Password emergency kit was saved to my external hard drive like I thought.
Back in London, I dug up my external hard drive and headed over to the apartment of a friend who was letting me borrow her laptop. Once the hard drive booted up, I saw with immense relief that the emergency kit was indeed there. Using the emergency kit, I logged into my 1Password account through their web portal, and just like that I had access back to all of my logins and passwords. This got me into a few things right away. For instance, I’d saved my Google backup codes to 1Password and was able to use one of those to log in. I felt a LOT better once I had my gmail back, and immediately signed out of all other Google sessions (“Manage your Google Account” > “Security” > “Manage all devices” > click on sessions you want to end and choose “Sign out”).
Next up was the two-factor dilemma. Several years ago, I switched from using Google Authenticator to Authy. I did this on the recommendation of a tech-savvy colleague, who had recently lost his phone and gone through a similar mess of being locked out of critical accounts without access to his Google Authenticator phone app. Authy, he explained, synced your tokens to the cloud and allowed you to install the app on multiple devices, so if you lost your phone you still had options to recover your TFA.
Authy’s straightforward interface, multi-device setup, and support from parent Twilio have made it a fan favorite, including Wirecutter’s pick for best two-factor authentication app. But to reiterate what should now be a familiar caveat, the same features that make Authy easier to recover and sync across multiple devices also make it less secure. Case in point: Twilio confirmed last summer that some Authy users were compromised as part of a wider breach of Twilio’s systems. The breach, which started with a successful phishing attack on multiple employees, allowed hackers to gain access to the accounts of 93 Authy users and register additional devices—thanks to that multi-device feature—and from there generate login codes for any linked two-factor accounts.
A good general rule of thumb is that the more entry points you have to anything, the more potentially vulnerable it is. This is as true of your digital security as of the doors to your house. But very little or nothing in life is risk-free. I knew when I switched over to Authy years ago that it was less secure than Google Authenticator, but I thought there was a higher chance that I’d lose access to my phone and authenticator app (whether because it was stolen, misplaced, or broken) than that I’d be compromised in a data breach in a way that would allow hackers to successfully gain access to my important accounts. Many years later, this turned out to be a good bet!
So: because I had Authy, and because I had the multi-device feature enabled, I was able to download Authy to my friend’s computer and log into my account from there. It’s worth noting that Authy did send me an email when I did this with the details of the device that had been added, and advising I secure the account if I didn’t recognize the new activity. There are also some practical steps you can take to make using Authy more secure. Wirecutter, for instance, notes that security experts recommend keeping a hard copy of your recovery codes for critical accounts in a secure location (like we discussed above 🔏). You can also see and manage which devices have access to Authy from your account, and disable the feature once you set up multiple devices, for example, your phone and computer. Authy will continue to work on those devices, but someone else won’t be able to add new devices to your account.
At this point I was back into my 1Password and Authy, which together unlocked most of my accounts. It was Friday night, one day after I got robbed and the same day I returned to London. My friend heated up some leftover curry for me while I hunched over her laptop, jumping through the hoops of my digital security setup.
The last and most difficult account to crack was my Apple ID. That’s because neither my password manager nor my Authy account really helped me here. I knew my Apple ID password by memory, but Apple wanted to push the two-factor authentication to either one of my trusted Apple devices (my phone and computer, both stolen) or to my phone number (also inaccessible). There wasn’t an option to get the code by email. When I tried initiating an account recovery request tied to my friend’s phone number, Apple informed me by email that I would get a text or call to her number when my account was ready to recover in two weeks’ time. On the one hand, it was reassuring that Apple was making it so difficult for an unauthorized user to get into my Apple ID, and with it all of my contacts, photos, message history, and iCloud storage. On the other, two weeks was a very long time to wait.
I headed back to my flat, a mix of optimistic and defeated. I’d restored my email, password manager, and two-factor app, but without the Apple ID I still couldn’t access my contacts or messages. Back at my building, I stopped by my neighbors’ flat, a nice couple who had heard the whole story and very kindly let me use their phone a couple times that day. They told me excitedly that they had found an old iPhone 5 in a drawer and if I could get it to work I was welcome to use it. I mean it when I say no one has been as excited about an iPhone 5 for years as the three of us were that night.
With the old iPhone, the last piece of the digital puzzle fell into place. The next morning I charged it up and found a spare SIM card I had lying around for visitors to use. I went into my mobile provider account (thanks, 1Password, though I’ll be memorizing this one for the future), reported my SIM as lost/stolen, and requested to activate the new SIM with my existing phone number. I crossed my fingers and put the SIM into the iPhone 5, which had miraculously charged up and turned on. After a few anxious moments, the phone began to buzz with a backlog of texts to my number.
The phone was still logged into my neighbor’s Apple ID, so I knocked on their door again to see about wiping it so I could try to install my account (plus for his own data privacy). My neighbors were hosting their parents for breakfast that morning, who cheerfully told me that they too had heard all about my misadventures (there is limited neighborhood news in a small Victorian building) and waited patiently while we reset the phone. And then! I went back to my flat, started the device setup, and when I got to logging in with my Apple ID, THE TWO-FACTOR AUTHENTICATION CODE CAME THROUGH TO THE IPHONE 5 IN A TEXT TO MY PHONE NUMBER AND I COULD LOG IN.
I don’t tend to think of myself as particularly tech savvy. Yes, I’m a tech reporter, but really I’m a business reporter who applies that lens to technology companies. My coworkers on the Quartz tech team used to joke that I should do unboxing videos because it would be like “it’s a phone… it’s rectangular… it has a camera…” and probably they were right, my interest in gadgets is generally pretty low. But the morning I got back into my Apple ID and completed the account recovery process, I felt like a bona fide tech hero.
Less than two days after all my technology was stolen abroad, I was back into everything. The security systems I’d set up years ago had held, and with the aid of friends and some spare devices I’d woven my way through a digital maze of my own making. I learned some important lessons about new ways to secure my accounts and made a list of steps I’ll be taking to make recovery smoother in the future, like having a hard copy of my 1Password emergency kit and setting up a recovery contact on my Apple ID. But what I had was already enough. It worked. Maybe I am more tech savvy than I thought.
Great advice for us all. Thanks! Love this line: I mean it when I say no one has been as excited about an iPhone 5 for years as the three of us were that night.
Ali - this brilliant. Everyone needs a back-up plan.