Write Down Your Two-Factor Authentication Backup Codes!

Gartooth · Aug 29, 2019

This is a general PSA, that if you use 2FA for accounts from your phone on Google Authenticator, make sure to write down your back-up codes and store them somewhere safe.

Today I was having some crashes and security issues with my phone which led to it being factory reset. This caused me to lose not only my current Google Authenticator accounts, but also anything from my photos gallery that could've helped me in password recovery. With Google Authenticator, I found out that even if I mange to redownload the app on the same phone and under the same Google account, the keys for my accounts are forever lost.

I was at least smart enough to write down a backup password in the past for some accounts like Steam, but in the case of Discord I was foolish to leave myself with no way in. I'm emailing their support team to see if it can be fixed, but from their FAQ page it sounds like that account is forever locked.

Anyways, I hope that my mistakes here at least helps out some other members with this in the future.

T0M · Aug 29, 2019

Good to know. I'll have to store them somewhere, especially since I'm getting a new phone soon.

Pikachu · Aug 29, 2019

I've heard of this catastrophic meltdown regarding "Google Authenticator"

What exactly is it, and why do people use it over having text messages?

Gartooth · Aug 29, 2019

Yep, Discord support got back with me and said that they wouldn't be able to remove the 2FA from my account. :(

Thankfully, I can authorize them to permanently delete that account from my email, so I can re-register without having to make a new email address.

Mulciber · Aug 29, 2019

:( That sucks, Gar. Thanks for the warning.

Shoe · Aug 29, 2019

The utility Authy lets you store codes to your account, not locked to a device, unlike Google Authenticator. Still a good idea to back up.

Gartooth · Aug 29, 2019

Shoe said:
The utility Authy lets you store codes to your account, not locked to a device, unlike Google Authenticator. Still a good idea to back up.

Yeah I heard about Authy when I was searching online for a way back in. I'm definitely going to use that rather than try it with Google Authenticator again.

TeenageFBI · Aug 29, 2019

Shoe said:
The utility Authy lets you store codes to your account, not locked to a device, unlike Google Authenticator. Still a good idea to back up.

You saved me a post. Authy's great. It even has a Windows desktop app!

Regarding 2FA backup codes, I note them in my password program to prevent stuff like what happened to the OP. At least it's fixable in this case! ..even if the account has to be recreated.

faceless · Aug 29, 2019

Pikachu said:
I've heard of this catastrophic meltdown regarding "Google Authenticator"

What exactly is it, and why do people use it over having text messages?

SMS can be hijacked in-channel and also at the endpoint.

BDS · Aug 29, 2019

I use Microsoft Authenticator which allows you to store your backup in the cloud with a Microsoft account.

Slappy White · Aug 29, 2019

I changed phone number and cancelled my old account prior to removing 2fa on yahoo and google and thought I'd lost my accounts forever. Luckily both customer services unlocked them for me.

Pikachu · Aug 29, 2019

faceless said:
SMS can be hijacked in-channel and also at the endpoint.

But does that happen, though?

Evan · Aug 29, 2019

I was locked out of my Ubisoft account because I had changed phones and the google Authenticator stopped working.

I had to create a new account just to play a Ubisoft game. I eventually was able to morph the two together.

faceless · Aug 29, 2019

Pikachu said:
But does that happen, though?

yes.

https://www.ccn.com/bitcoin-investor-sues-att-for-224-million-after-mobile-linked-theft/

https://medium.com/@CodyBrown/how-t...es-with-verizon-and-coinbase-com-ba75fb8d0bac

https://fabricegrinda.com/hacked-cryptocurrencies-stolen/

TarpitCarnivore · Aug 29, 2019

Google authenticatior is a bad app for this

Pikachu said:
I've heard of this catastrophic meltdown regarding "Google Authenticator"

What exactly is it, and why do people use it over having text messages?

SMS is super easy to spoof

Deleted member 18944 · Aug 29, 2019

You should be using Bitwarden and a 2FA app that allows push notifications for secure logins. DUO is my preferred. Using SMS puts you at risk.

bronkonagurski · Aug 29, 2019

Evan said:
I was locked out of my Ubisoft account because I had changed phones and the google Authenticator stopped working.

I had to create a new account just to play a Ubisoft game. I eventually was able to morph the two together.

That happened to me but the Ubi's online support worked with me and removed the 2fa so I could log back in.

TeenageFBI · Aug 29, 2019

The worst are those crappy sites that only do 2FA through SMS. No way to use Authy or something that's actually secure. I think Sony's like that with the PSN store.

RoninChaos · Aug 29, 2019

What's a good alternate to google Authenticator?

peppermints · Aug 29, 2019

Hobbes said:
You should be using Bitwarden and a 2FA app that allows push notifications for secure logins. DUO is my preferred. Using SMS puts you at risk.

Duo on iOS has pretty bad reviews. Still worth checking out? I'm fully invested in BitWarden but currently tied to Google Auth except for work stuff which I have to use Microsoft for.

Deleted member 20284 · Aug 29, 2019

Correct me if my memory is wrong here...can't you just have a backup second email address on your Google account and therefore Authenticator as well for disaster recovery?

TheUnseenTheUnheard · Aug 29, 2019

theSoularian · Aug 29, 2019

I ditched Google Authenticator and went with Authy because of this a few years — it's synced betwen my phone and iPad.

Leunamus · Aug 29, 2019

Is there a difference between Google Authenticator and Google Prompt? I use the latter.

lunarworks · Aug 29, 2019

Google Authenticator having no way of backing up is an actual big problem.

But backing up can expose it to massive problems.

The internet is a fucking, goddamn shitshow.

Deleted member 7373 · Aug 29, 2019

Scan the QR code onto two devices. I do this for my google auth codes.

Deleted member 18944 · Aug 29, 2019

peppermints said:
Duo on iOS has pretty bad reviews. Still worth checking out? I'm fully invested in BitWarden but currently tied to Google Auth except for work stuff which I have to use Microsoft for.

We use DUO at an enterprise level and as someone who came from google authentication and MS's solution, I will swear by it. Just glossing over some of the reviews on the App Store makes it seem like people are not too happy about using 2FA or forget that using 2FA makes getting a new device hard if you don't think ahead.

Septimus Prime · Aug 29, 2019

I switched to Authy a while back. I used to use custom ROMs and stuff with my phone, so it was a pain in the ass to redo Authenticator every time.

I used Signal for SMS. Hopefully that helps.

RoninChaos said:
What's a good alternate to google Authenticator?

Authy

ManaByte · Aug 29, 2019

RoninChaos said:
What's a good alternate to google Authenticator?

Microsoft Authenticator. Backs itself up.

TeenageFBI · Aug 29, 2019

Hobbes said:
We use DUO at an enterprise level

My company does too. I like it. Easier and faster than entering codes. Not sure how well it would work for a regular user though.

ClayModel · Aug 30, 2019

Yup, learned my lesson the hard way when I forgot to turn 2FA off when I switched to my new phone. Keep back up folks!

GeoGonzo · Aug 30, 2019

Write Down Your Two-Factor Authentication Backup Codes!

This is just a clever ploy to get some Era members to write down their backup codes in this very thread. You can't fool me, Gartooth!

Zips · Aug 30, 2019

I moved all of my Google Authenticator accounts over to Authy a little while ago. Backup codes in a password manager. Made the move to my phone upgrade a breeze. Probably the best thing to do is you're still on Google Auth.

Just wish the services that still use only SMS would get with the times. There's also one specific account that will not allow you to use anything but their own authenticator app. I'm looking at you, Square Enix.

signal · Aug 30, 2019

After recently moving and having no access to my old phone number and then Google Auth. instance on my phone, I basically disabled like every 2FA option on every site. Something like Authy rather than Google Auth would have helped since it apparently has a backup but the hassle otherwise is too annoying.

Slightly less secure but at the same time I feel like whether or not you have 2FA enabled, sites are pretty diligent about emailing / texting you about suspicious login attempts.

1upsuper · Aug 30, 2019

Zips said:
I moved all of my Google Authenticator accounts over to Authy a little while ago. Backup codes in a password manager. Made the move to my phone upgrade a breeze. Probably the best thing to do is you're still on Google Auth.

Just wish the services that still use only SMS would get with the times. There's also one specific account that will not allow you to use anything but their own authenticator app. I'm looking at you, Square Enix.

What's a good password manager these days?

signal · Aug 30, 2019

1upsuper said:
What's a good password manager these days?

Bitwarden

Zips · Aug 30, 2019

1upsuper said:
What's a good password manager?

I use Keepass. I know a lot of people also swear by LastPass but I never much cared for it in the couple of times I tried it.

1upsuper · Aug 30, 2019

signal said:
Bitwarden

OK, I'm familiar with that one. Thanks.

Zips said:
I use Keepass. I know a lot of people also swear by LastPass but I never much cared for it in the couple of times I tried it.

Thank you. Knew about LastPass.

sca · Aug 30, 2019

You can also take screenshots/pictures of your 2FA QR codes and back it up elsewhere

RestEerie · Aug 30, 2019

i reckoned OP is using IOS and not android?

The authenticator way is outdated...google's using 2-step verification since 2016.

https://www.androidpolice.com/2019/...ised-two-step-verification-prompts-on-mobile/

i.e. after signing in with your google user name and password, instead entering the code generated by authenticator, a prompt will popped up on your 'approved' android device to accept or reject the authentication.

That's being said, yes....it's still essential to keep a copy of the backup codes.

Pyramid Head · Aug 30, 2019

Evan said:
I was locked out of my Ubisoft account because I had changed phones and the google Authenticator stopped working.

I had to create a new account just to play a Ubisoft game. I eventually was able to morph the two together.

Exact same thing happened to me and I just ended up abandoning my old account, which I think only had Splinter Cell Blacklist on there. Made a new account to play Assassin's Creed Origins. Was it much messing round to merge the accounts? I might fancy finishing Splinter Cell one day if not.

TheYanger · Aug 30, 2019

Hobbes said:
We use DUO at an enterprise level and as someone who came from google authentication and MS's solution, I will swear by it. Just glossing over some of the reviews on the App Store makes it seem like people are not too happy about using 2FA or forget that using 2FA makes getting a new device hard if you don't think ahead.

Yep, use Duo for work and it's a breeze.

Evan · Aug 30, 2019

Pyramid Head said:
Exact same thing happened to me and I just ended up abandoning my old account, which I think only had Splinter Cell Blacklist on there. Made a new account to play Assassin's Creed Origins. Was it much messing round to merge the accounts? I might fancy finishing Splinter Cell one day if not.

No, it wasn't difficult at all. The Ubisoft rep was pretty awesome and understanding of the situation. He quickly merged all of my games on both accounts and warned me that doing so would lose my division 1 saves. I was only a few hours in so it didn't bother me much.

But yeah, contact Ubisoft and they'll fix it for you.

B4mv · Aug 30, 2019

Ok

64CA330FCE217BE3

Septimus Prime · Aug 30, 2019

Funny story: 2FA protected jack shit when someone social engineered into my Chase account and cashed out over $900 in Amazon points.

Chase restored it, and we set a third authentication layer, so it's all good now.

Vanillalite · Aug 30, 2019

Shoe said:
The utility Authy lets you store codes to your account, not locked to a device, unlike Google Authenticator. Still a good idea to back up.

This.

Authy ftw.

Window · Aug 30, 2019

So how does this work if you're using 2FA for your gmail account and switch devices?

zou · Aug 30, 2019

Or stop using the shitty Google App. I use Lastpass Authenticator and WinAuth.

NottJim · Aug 30, 2019

1Password will also work as an authenticator and store the codes in the cloud.

Silver-Streak · Aug 30, 2019

https://www.resetera.com/threads/password-manager-and-security-key.97043/ I will rep StrayDog's post anytime I can.

Stop using Google Authenticator, move to an actual password system, get some physical tokens, and store your recovery keys in a safe place.

Write Down Your Two-Factor Authentication Backup Codes!

Alt-Account

Traded his Bone Marrow for Pizza

One Winged Slayer

One Winged Slayer

Traded his Bone Marrow for Pizza

User requested account closure

One Winged Slayer

User requested account closure

Attempted to circumvent ban with alt account

Deleted member 7373

Guest

User requested account closure

EA

Attempted to circumvent ban with alt account

One Winged Slayer

EA

Animation Programmer