Two-Factor Authorization Is Awesome - Until You Lose the Damn Token

It's no secret that passwords as a sole security feature are starting to be phased out and clever techniques like two-factor authorization are becoming more commonplace. But two-factor authentication can be too clever for it's own good: In a system where access is granted based on something you know (the passphrase) and something you have (a cellphone or key), what happens if you actually lose the something you're supposed to have?

This is not an uncommon problem. In the office, keys and key cards get lost all the time. And how many of us have done the walk of shame in sweats and bunny slippers down to the hotel lobby when we tried to set our tray out in the hallway only to hear the door mockingly click shut behind us?

And that's just one-factor authorization, where you need only the key to get in. How much worse will it get when security from the physical world will be required to access the virtual world?

In the workplace and elsewhere in the real world, acquiring a new key is usually not that hard. You go talk to the building manager or security in the office and get your new physical token. Lose the keys to your car, you call a significant other with a copy of the key, or call the dealer. All of these workarounds do the trick because you're physically present and can explain the circumstances to some sympathetic soul (bunny slippers help, trust me).

But what happens when you lose the physical element of two-factor authentication for an online service? You can't exactly call them up and get your access restored. Or, at least, you shouldn't be able to do that.

So what is the plan when you lose the physical piece of two-factor authentication?

Why The Rigmarole?

This is not just academic exercise for me - for the last couple of days someone keeps trying to reset my Twitter account's password, and (for now) I'm resting easy in the knowledge that whoever's doing it can't get into my email account to pick up a legitimate reset password link (and I'm not clicking the links on what are probably phishing emails).

This is the primary reason why it's a good idea to implement two-factor authorization. Even if someone does manage to find out your password for an account, they can't log in to your account and start changing passwords or use your account to start gathering information on your personal and financial life. Not without the physical token.

In my case, the token is my Android phone, which is using the Google Authenticator app to generate time-based verification codes that I enter if I log into my Google accounts (and others I've got the app tracking). I had been using the "Send code to SMS" option, but that proved troublesome when trying to log into Google in buildings where cell access was a problem. The app continuously creates new codes, regardless of connection.

If I lose my phone, it's going to be a pain, but not the end of the world.

Follow The Plan

First, Google recommends that I find a computer that has already logged into my accounts. I have one machine, my primary office computer, that Google remembers for 30 days at a time. I can get into that and start performing the tasks that need to be done. Even if I am away from home, I can call a family member and walk them through the process.

The very first thing to do if you lose the phone (er, token) is get connected to the accounts for which the phone is being used for two-factor authentication and change the password. Most of the time a phone is lost, it's just that: lost. And, even if it were stolen, most of the time it's going to be taken by some numbskull who will soon be taking pictures of themselves and their friends so you can track them down and take it back. Still, better to be safe than sorry.

Once you change your main password, Google recommends that you revoke any application-specific passwords you granted to apps on the phone. If you get your phone back, you can always give the phone a new application-specific password.

If you don't have access to a computer that's already logged in to Google or is within that 30-day remembering period, you have two options:

For Google Apps users, when Google is handling your email and other services but using your domain, not gmail.com, the fastest thing to do is contact your Apps administrator and have them turn off two-factor authentication so you can log into your account straight away to change your password and revoke access to your account.

If you are not an Apps user (or can't seem to get a hold of your administrator), you can have codes sent to your backup phone. If you haven't set up a backup phone on your Google account, it's a good idea to do it.

The other option is to use one of the 10 printable codes that Google makes available to your account. I personally don't use this option, but keeping an unlabeled piece of paper around that has a random set of numbers is not likely to be a huge security risk.

Losing the physical part of your two-factor authentication will be a pain, just like losing a key for a physical lock would be. That's kind of the point, in some ways. But most services using two-factor authorization will have procedures in place to help you work around the situation. Check your two-factor services and make sure you've done everything you need to do to prepare for the inevitable loss of your physical token.

Image courtesy of Shutterstock.