There is both frontend and backend things you must do
I’ve always been a big proponent of two-factor authentication and it seems these days you really need to use it. Just look at the recent Apple security hole that allowed people to reset your Apple ID password with just your email address and DOB. If you had enabled two-factor authentication on your account, you would not have to worry about this problem.
Though two-factor authentication can make your account more secure, it can also cause a lot of problems if you happen to lose the device that generates the codes.
Just like there is more upfront setup required to use two-factor authentication, there is also a bit of backend setup you must do to ensure you can regain access to your account in case of loss or theft.
I currently have 2-factor authentication enabled on Google, Dropbox, Facebook, Lastpass.com, iCloud.com and many other sites. After doing a little research, I realized I didn’t quite have my backups ready. I actually pretended like I lost my device and wanted to see how easy it would be to get back in.
I was surprised. If you don’t have the right stuff setup, you could end up either permanently locking yourself out or having to through through hours or days of trying to convince customer service people you are the real owner of the account.
In this article, I’ll go through those five sites and explain what you need to do in order to ensure that your account remains secure, but is still recoverable in case you lose your phone and can’t generate the codes anymore.
There are a couple of things you should setup in terms of recovery for your Google account. To get started, head over to the account Settings page here:
First thing you want to do is add a recovery email address. The recovery email address is more often used when you forget your password or your account has been hacked, but it’s still another mechanism that can be used to get back into your account regardless of what’s preventing you from getting in.
Next, click on Security and then click on Settings 2-step verification.
Here is where you need to setup the backup options for 2-step verification or at least make sure everything is up-to-date.
The important aspects here are the backup phones and the printable backup codes. You should definitely have at least one backup phone, which can be another cell phone, home phone, etc. Obviously, make sure this other backup phone is also secure or with someone who you completely trust like your parents or someone.
My 2 year old daughter was playing with my iPhone and deleted the Google Authenticator app. I couldn’t restore it from backup and therefore I had to get a call on my backup phone in order to get it.
The nice thing about the backup phone is that if you can’t receive a text message on it, you can have an automated service call you with the code. Secondly, print out the backup codes and do not save them on your computer.
It gives you the option, but it’s a terrible idea. You don’t want these codes in digital format. Nor do you want to be carrying the backup codes around in your wallet. They should be kept securely in one location and pulled out only when you need them.
The last thing you can to is make one or two computers Trusted Computers. If you scroll down on the 2-step verification settings page, you’ll see if the current computer is trusted or not:
This basically means you won’t have to type the verification code on that computer for about 30 days or so. After that point, it asks anyway, but if you lose your phone, then you can use a trusted computer to sign in and then move 2-step to another phone or just disable it until you get time to set it up again.
Dropbox 2-step is similar to Google, but doesn’t have as many options. Basically, if you lose your phone, you have to enter a emergency backup code that they give you when you initially setup 2-step verification. If you already enabled it and can’t find the code anymore, you should disable 2-step and then re-enable it in order to generate the new emergency backup code.
Once you log into Dropbox, you need to click on your name at the top and then click on Settings. Then click on Security:
The first thing you want to do is disable 2-step if you don’t have your emergency backup code. Once you have that and have enabled 2-step, go ahead and make sure to add a backup phone number. I use the Google Authenticator app to generate the codes because you can then use your phone as a backup.
If you use your phone SMS to get the codes, then your only backup is the emergency backup code. That’s why it’s better to install the Google Authenticator app and then use your phone number as a backup. Then you’ll have two backups in case something goes wrong.
It’s also worth noting that Dropbox has trusted computers also and if you do lose your phone and you don’t have any backups available, you can still login on a trusted computer. But if you lose your phone and don’t either have the emergency code or a backup phone, then you’re screwed. Or at least you’ll have to call Dropbox and pray they believe you.
When it comes to Apple, you can log into your account as long as you have two of the three items below:
1. Apple ID password
2. Access to a trusted device
3. Your recovery key
As long as you have any combination of 2 of these items, you can get back into your account. Once you have logged into your Apple ID account, click on Password and Security to manage your trusted devices and your recovery key. It’s a good idea to add several trusted devices like your phone, spouse’s phone, etc. Currently, trusted devices have to support SMS, so you can’t add an iPad or anything like that.
The next thing is to print out your recovery key or click the Replace Lost Key if you forgot to print it out the first time when you setup 2-step verification. Again, it’s best it just print this out and not save it in any type of digital format. It’s a lot easier for digital data to be stolen than a piece of paper in a safe or stuffed in some strange location only you know.
LastPass is fairly straightforward in terms of not having access to your codes; they basically have a link that will send you an email, which will then disable Google Authenticator temporarily so you can log in.
LastPass is the only place where you don’t have to actually do anything extra in order to gain access back to your account.
Facebook has Login Approvals, which is the same as 2-step verification. It’s not as stringent as Google’s 2-step verification, but it’s still pretty useful and can prevent hackers from gaining access to your account. Login Approvals either sends you a SMS on your phone or you can use Code Generator in the Facebook app.
The reason I said Facebook is less stringent is because it won’t ask you for that code when logging in from any of your recognized devices, which is pretty much every device you have ever used to log into the site.
If you lose your phone and you don’t have the Facebook app installed on any other device, you’ll have to login from a recognized device. If you don’t have any way to login from a recognized device, you have to file a report and wait forever to get access back.
So I would install the Facebook app on at least two devices, maybe your phone and a tablet and then make sure you have a couple of computers that are recognized devices.
Hopefully this article gives you a little more idea on how to ensure you are using 2-factor authentication properly and not potentially locking yourself out with the extra security.
If you haven’t enabled 2-factor authentication at all, I strongly recommend it along with making sure your backup and recovery options are set. This way you’ll have more peace of mind when everything is working and peace of mind even when your device is lost or stolen. Enjoy!