Two-Step Verification Is Great — Until You Switch Phones

Rob Pegoraro
·Contributing Editor
image

What’s a two-word phrase that can put even an enthusiast for two-step verification into a state of insecurity?

“Reset Phone.”

Securing your online logins with a one-time code sent to your phone beats the snot out of relying on passwords alone for security. But the more secure and robust kind of two-step verification — in which an app on your phone computes these codes for you, instead of your waiting to have them sent via text message — is also harder to move to a new device.

Yes, I had to be reminded of this the hard way. Twice.

First, I tried doing a hard reset of an old phone to cure problems with its decaying touchscreen (that didn’t work), and then I had to set up that phone’s replacement. Both times, I had to redo every form of app-based two-step verification on each device — an experience that ranged from forgettably easy to formidably difficult.

image

Best: Facebook and Twitter

These two stand out from others because their iOS and Android apps include their own two-step verification features: Facebook’s Login Approvals, which generate a one-time code even when you’re offline; and Twitter’s Login Verification, which asks you to okay a strange sign-in via a push notification.

The thing is, both also allow verification-via-text-message. The result: First you get a text on your new phone (assuming it has the same number as your previous device) asking you to confirm that you are indeed you. Facebook’s codes and Twitter’s push notifications then resume working as before.

image

Not bad: Google

Google’s two-step verification is a little different: if you don’t want to rely on texts — which you shouldn’t, as domestic and certainly international travel can leave your phone without a signal — then you have to rely on two-step verification codes generated by a separate app, most often Google’s own Authenticator.

As Google’s online help reveals, getting Authenticator to generate login codes on a new phone takes you down a path with multiple forks: Your particular path depends on the kind of phone you have (Android or iPhone); your access to backup codes you (supposedly) printed out when you first set up two-step verification; and so on.

But once you’ve confirmed that your phone is indeed your own, Google’s two-step settings page provides a straightforward Move to a different phone link that, when clicked, walks you through the scanning of a QR code on the screen with the Authenticator app.

image

Need work: LastPass, WordPress.com

My password-manager service and blogging host, each of which support Google Authenticator as a no-phone-signal-needed “2FA” option, required more guesswork.

With LastPass, the online help provided little assistance; I had to figure out that I needed to click Account Settings while logged into its site, then Multifactor Options, then click the pencil logo next to Google Authenticator’s entry to edit that feature’s settings, then click a Regenerate link to produce a QR code to scan into Authenticator on the new device.

At WordPress, meanwhile, the documented procedure is to disable two-step verification entirely, then enable it from scratch on the new phone. I’m afraid to know how many people give up and skip the second part.

Some Alternatives

After all that, I better understand why text-message two-step verification can be so appealing. As long as you move your number to a new phone — which may only require swapping a SIM card — there’s nothing to install or configure.

But remember that SMS only works where your carrier does, which (again) means not on a plane or overseas. Should you disable two-step verification right before you have to rely on a bunch of untrusted connections? No, but that’s what Australia’s government recently suggested to citizens using text-based verification at its myGov portal.

Most two-step systems ask you to print out and carry around backup codes. That’s a better idea, although once you have more than a handful in your wallet you may need to identify them in a way that doesn’t make it obvious which one unlocks which account.

If you have a desktop computer in a reasonably secure location, you can often set that as a trusted computer exempt from two-step verification. That, in turn, lets it serve as a home base for redoing two-step verification should you lose any devices.

Or you could use a code-generating app besides Authenticator — for instance, Authy can sync codes among multiple devices. I’ve read good things about it but haven’t tried it yet.

Finally, you can verify a login on a regular computer’s copy of Chrome using a USB Security Key — a simple fob that you bind to your account and then plug in when requested. Those aren’t exactly household items — I got mine at Google’s I/O conference in May — but it is nice to have a backup to my phone.

But you know what’s worse than all of these fallback options? Relying only on passwords that can be too easily guessed or cracked and which provide no further defense against an attacker.

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.