Welcome to “Ask a security trainer,” the column where the digital security training team at Freedom of the Press Foundation answers your burning questions at the intersection of journalism and security. Let’s jump right into this week’s question.
Dear DST,
I’m afraid if I set up two-factor authentication and I lose my phone, I’ll be locked out of my accounts. What can I do to prevent this?
Signed,
Authentication Anxiety
Subscribe to our digital security newsletter
Our short digital security digest newsletter gives you the newest in security news, what you can do about it, and updates from our team. Subscribe here.
Glad you asked, Anxiety. The short answer is when setting up two-factor authentication on a website — that is, requiring a second piece of information beyond the password, such as a short code sent to your phone — always save your two-factor authentication backup codes somewhere safe, such as a password manager. We’d particularly recommend doing this for your most important accounts, like your primary email addresses, because they can be used to recover other accounts.
To dive a little more deeply, I’d suggest that you have a strategy for your two-factor authentication redundancy.
Speaking from experience, this is a real problem. Back in 2012, I locked myself out of all of my major accounts because I lost my phone. That’s right, I used a 2FA app and — predictably, during a night out — I lost my phone. My friends and I spent a lot of that evening retracing our steps, looking for my phone and never did find it, leading to hours of recovering accounts with customer service representatives across various companies. But now, even if I lose my phone, I’m prepared.
Screenshot: Google's 2FA backup codes.
First, when setting up 2FA on most websites, you will nearly always receive a code that you can use to recover your account in case of an emergency. This backup code typically includes some short codes that you can use to get back into your account in case you cannot provide your 2FA code during login. Save these somewhere safe, such as a password manager, or if you prefer to keep it analog, keep printouts in a space where you feel comfortable they’re secure.
If you want to get serious, it’s also a good idea to have 2FA redundancy through your physical devices, for example, enabling 2FA using a security key such as a Yubico Security Key or Nitrokey Passkey. We’d especially recommend enabling a security key on the most important accounts that you may use to recover other accounts, such as your personal email. If you use an offline-friendly 2FA app such as Google Authenticator, you can locally export to other devices (e.g., an unused phone) in case of emergency.
Likewise, it’s possible to store 2FA codes on multiple devices with services that synchronize across devices (e.g., Authy for mobile devices or 1Password). There are subtle trade-offs between syncing across multiple devices instead of keeping 2FA codes on your local device, but this is one of those situations where we don’t want to let the perfect be the enemy of the good. Having even one kind of backup option will give you some peace of mind. I know it does for me.
Read our guide to learn even more about 2FA approaches and how to set them up.
Securely yours,
Martin Shelton
P.S. Even with these extra measures, on your next night out, be sure to keep a close eye on your phone!