DAV EY WINDER
What happens if someone steals your phone and you lose access to your 2FA device? Davey shows how to prepare for this worst-case scenario
What happens if someone steals your phone and you lose access to your 2FA device? Davey shows how to prepare for this worst-case scenario.
I’ve written a lot about ensuring every account that can have two-factor authentication (2FA) activated does so. Adding an extra layer of protection means that if your login credentials are compromised, say a reused password turns up in a breach database traded between cybercriminals, the account itself won’t get compromised.
Of course, there’s no such thing as 100% secure and 2FA is no exception to this rule. 2FA via SMS is at best a 50% score, for example, as there are many known ways that the process itself can be successfully attacked. That’s still 50% better than zero secure, though.
2FA TOTP code authentication apps – that’s a time-based one-time passcode, rather than anything to do with Top of the Pops, sadly – are much better still and hardware-based authentication keys even more so.
But, as reader Andy pointed out in a poignant email: “2FA becomes a jailer when you lose access to your authentication code-spinning device, locking you out of your accounts as surely as if a hacker had got your password.” In Andy’s case, his phone was stolen and his 2FA code app was on that phone – and that phone alone. Like many people, I suspect, he had printed out backup codes provided at the point of enrolling in the 2FA option for some but not all accounts. Like many people, he had misplaced most of these over the past two or three years.
Andy had to spend many h hours sending emails and speaking t to IT support on the phone before eventually regaining access to his accounts that had never been compromised in the first place. Look, I still unashamedly maintain that 2FA should play a key role (I’m not apologising for the pun, suck it up) in any and every account security strategy. It really is the most secure option to give you peace of mind. Until it isn’t.
Andy learned his lesson and wanted me to pass it on to others so they don’t get caught out one day.
I’ve had emails from people who tell me they simply no longer use 2FA at all because the theft or loss of their smartphone turned into much more hassle than it was worth. When Luke wrote to me about this last year (he had bought a new phone with a new number), I responded at the time that it’s better to get locked out of your accounts by your own doing than by the actions of a threat actor: no, you can’t access your data, but nobody else has accessed it either.
I realise that scenario equates to a metric ton of hassle, but it also shows just how effective 2FA is when it comes to protecting your accounts. Think about it: if the “I’ve lost my 2FA keys, get me back into my account” process were not as time-consuming and meticulous as far as proof of identity is concerned, there would be no point to 2FA. It’s why SMS codes aren’t so hot because criminals can pull off a SIM-swapping attack using social engineering prowess to convince your mobile network carrier to transfer your number to their phone. They then get access to those codes, which are enough to “prove” they’re the rightful owner of the account they’re trying to access. The bottom line isn’t that losing access to a 2FA device can be a traumatic experience, but rather that it doesn’t have to be.
I gave my first clue to easing this potential security pain point in passing already: backup codes. Every account that provides 2FA access will, or should, also provide backup codes at the time of activation. You will be told to print them out or save them somewhere safe. Personally, I take a multilayered approach to backup codes. I print them out, then photograph them and keep those images on a hardware encrypted USB stick before deleting the original images. Regular readers will know I’m something of an encrypted stick hoarder; the one with the codes on is known to me but stored in a general box full of the things.
“2FA really is the most secure option to give you peace of mind. Until it isn’t”
Authily good
There’s another other way to protect yourself from om this lost codegenerating device scenario, and it’s one that I also lso use. One word: Authy. Yep, it’s a code-generating app that works in just ust the same way as Google Authenticator ator et al, but with the major benefit efit that it can put an end to lost ost phone anxiety.
Before I continue, I should hould say that Google Authenticator has at least partly artly addressed this issue by y enabling a degree of
portability into the app. Android users can transfer the secrets used to generate 2FA codes from one device to another, and it’s these secrets, these keys, that prevent people from just installing the app on another device and it all working without them. You still, however, need both old and new phones for this to work. You export your accounts from the old into the new by scanning a QR code the app generates, and that’s it. But, as I say, lose your phone, it gets stolen or you switch from an Android phone to an iPhone and it’s still no help.
Which brings me back to Authy, my 101% preferred option over everything else because it’s by far and away the most user-friendly, least time-consuming and just works.
For a start, Authy works with all your devices – Android or iOS, Windows or macOS, even Chrome, it’s got you covered with an app. What makes it so good for reducing lost device anxiety, though, is that it allows you to back up and restore your encrypted 2FA account tokens to another device. That decryption will only happen on the local device itself, with no cloud storage worries to throw into the mix.
What’s that at the back? Didn’t I say that expanding the risk surface is a bad thing, and surely having your authenticator codes spread across multiple devices does just that? Well, yes. Sort of. Every additional installation will dilute your security posture in terms of risk. Which is why I only recommend the mobile device you use as your primary and one other, in my case a laptop.
It’s always going to be something of a numbers game, balancing risk and usability, most secure with least problematic. In the case of having an Authy backup I can rely upon in a worst-case scenario, the dice roll out right for me. A major factor in my coming to this decision is that Authy lets you disable the backup feature after you have added that secondary syncing device (the laptop in my case). Which means no further devices can be added.
Make sure you disable “Allow Multi-device” after installing on your secondary device. Then, even if an attacker carried out a SIM-swap attack or had your login details, they wouldn’t be able to add another device and sync your 2FA data to it. Keeping your Authy password in a password manager means you can ensure it’s long, complex and random, which reduces the cracking potential to begin with.
The Authy password is hashed and salted, and the authenticator key is encrypted with AES-256 in cipher block chaining mode with a different initialisation vector for every account. As Authy only gets to “see” the encrypted result, with the actual key never transmitted, any breach at the Authy side won’t impact you. So, in our “lost access to the phone” scenario you would buy a new one, install the Authy app and verify this from your secondary device having re-enabled the multi-device option for this purpose.
When I swapped from using a Galaxy Note 10+ as my primary phone (it’s currently one of my burners) to an iPhone, I employed Authy in this way and was up and running with a working authenticator code app in less than five minutes from start to finish. Who said security had to be hard to be effective?
Reporting for action
Pop quiz: have you ever reported a cybercrime? I’m going to take an educated guess that the answer is “no”. I’ve interacted with thousands of people who have been on the sharp end of the cyber-stick, and I’m not talking spam or failed phishing attempts here, and can honestly say that no more than a handful have been responsive to that suggestion when I’ve made it.
For example, I may look like a vigorous young hipster (quiet at the back), but I’m actually quite the old, and old-fashioned, gent.
Nothing gets my goat more than those who try to exploit the fears of others in order to extort cash, even if it’s of the make-believe crypto variety. Yeah, I said it, so sue me.
Anyway, the point is that a number of “sexploitation” scams have been doing the rounds of late and while these are easy to dismiss if you are a security “expert” who’s seen them time and time again, that’s not the case for your average recipient. I’m regularly contacted by (mostly female) victims of these things who want my help, and who mainly want to know what to do. I can tell you that this isn’t a victimless crime even if the bait isn’t actually taken.
Take the “Day of Hack” scam – so called because they always include “day of hack” in the subject line – that’s been doing the rounds for a year or two now. They also always claim to have compromising video footage, recorded as they have access to your computer and webcam. Sometimes they will throw in a line about knowing you have watched porn, and the footage is you doing what comes naturally as a result. The bait in these particularly nasty scams is that the “hacker” says they have your password and includes one in the email. This will indeed be a password associated with your email address. That actually means nothing as it will 99.999% be one that has appeared in a breached database over the years. All that matters is that the recipient recognises it, especially if they reuse passwords across sites.
With the hook well and truly baited, they demand a payment in Bitcoin or threaten to publish that video. One
“I was up and running with an authenticator code app in less than five minutes”
recent victim contacted me as the scammer said they would send the video to her contacts, which they had as they had hacked her computer. Reinforcement all the time. My advice is always the same: don’t respond,
do change your password for any services that use it. Do activate 2FA where possible, and more of that shortly. And do report the scum to the relevant authorities.
It usually takes an email or three to reassure the person that this makes sense, but when logic kicks in over the initial fright response, it’s all good. If these master criminals had hacked your computer they wouldn’t be threatening you with this stuff; they’d be exploiting that access in more profitable ways. Even if they were just into extortion, they would send a clip if they had it to convince you to pay up.
So, why report it? Surely nothing will be done if no money was lost, law enforcement has better things to do and so on. Well, maybe, but reporting these things is adding to the intelligence out there and it may just help track down and stop a few of these people.
The other thing that people tell me is they have no idea where to report it to. It doesn’t warrant (see what I did there) a 999 call, obviously, but please don’t ignore it. You have two primary options: general phishing emails can be forwarded to
report@phishing.gov.uk (you can find more information from the National Cyber Security Centre here: ncsc.gov.uk/information/reportsuspicious-emails) and all other fraud and cybercrime, including sexploitation attempts, can go via the UK Action Fraud reporting centre at
actionfraud.police.uk, which does directly involve the police.
Action Fraud also has a phone number. If you’d rather speak to someone, just call 0300 123 2040 between 8am and 8pm, Monday to Friday. Action Fraud encourages businesses or other organisations to call if they are suffering a cybercrime in progress. And finally, the best online resource I’ve found for victims of any kind of cybercrime in general has to be thecyberhelpline.com. davey@happygeek.com