If you're following best practices for securing your personal devices and cloud accounts, you’ve likely enabled two-factor authentication. Two-factor authentication, or '2FA' for short, comes from the computer science concept of multi-factor authentication which requires that a would-be user must present at least two separate pieces of evidence to prove they are who they claim to be. These can be something you have (like an ATM card), something you know (like a PIN), or something you are, called "inherence," such as a fingerprint or retina scan.
To use a common example, let’s say you've properly set up 2FA on your Gmail account. To access Gmail, you need to have your username and password (something you know) and a machine-generated temporary token from an app like Google Authenticator (something you have) or a text. Now if you're a tricksy-little hobbit you probably use long, unique passwords for every application and those passwords aren't necessarily easy to remember. No problem, you store these passwords in a password management app like LastPass or 1Password and it does the remembering for you. The only password you need to remember is a single, master one to access your password store. Now, you're heavily reliant on something you have. But what happens if you don't have it? Like that time I left my phone somewhere between the hotel and LAX security.
In my case, I had an Android phone and stored my passwords using LastPass. I'll describe how I handled that situation and leave it to the reader to use this information to figure out the corresponding steps for their own device or password manager. I've provided links to the iOS equivalents of the Android tools that I use below.
Mother Father!
Losing your phone or tablet can be incredibly stressful, but even more so if it’s your 2FA device—that something you need to have in order to access all the things. I recently managed to lose both an iOS and an Android device within the space of a week. I was able to find my iPad at the Lost & Found at my local airport with a simple phone call. I wasn’t so lucky when I lost my phone.
The Android device was my primary phone and 2FA device. I had just passed through the TSA checkpoint at the airport, put clothes back on, admired the renovations, and walked up the stairs into the gate area when I realized that I didn’t have it with me. Traveling stresses me out in general. Losing my phone did not help. After three deep breaths and an extra-large strawberry parfait to take the edge off, I retraced my steps to TSA. After coming up short with the TSA agent, I had the United customer service representative call the departures check-in area, which also yielded nothing. That meant:
- Someone had grabbed my phone out of a TSA tray,
- I’d left it in departures and it hadn’t yet been found,
- I’d left it in the Uber,
- Or, I’d left it in the hotel.
It can be difficult to relax and mentally retrace your steps, but that’s key. The last time I clearly remembered using my phone was when I’d ordered the Uber at the hotel and after that, I wasn’t sure.
Luckily, my phone was locked and would require either knowing the lock-screen pattern or cutting off my thumb. My mind instantly leaped to an image of sophisticated cyber-thieves viewing the falafel stains on the glass to derive the pattern that I used. Failing that, they could just place the phone in a Faraday cage while working to decrypt the device. Then my mind helpfully suggested that, having lost two devices in the space of a week, I likely had an aggressive form of dementia. Finally, my mind regaled me with a preview of the embarrassment I would surely experience when I explained to my wife that I had lost another device. “No, not my iPad, that was last week…Yes, seriously. ‘You would lose your head if it wasn’t attached to your body!’” Fortunately, I was saved any such embarrassment due to the fact that I'D LOST MY PHONE and couldn’t call anyone.
I made a quick inventory of my assets. I had one hour till my flight departed. I had my laptop. I had two United Club passes. I burned a United Club pass and used my laptop to get online. Phew, I still had access to Slack, Gmail, and Apple Messages on my laptop. But things got tricky right off the bat.
Use software to try to locate your device
I went into Gmail, clicked on My Account and selected "Sign In and Security," which is what you want if you’ve set up your Android device properly.
Ruh roh. I was prompted for my password, which was in LastPass, which required Google Authenticator, which was on my phone. Now, there’s a simple way to handle this, but we didn’t think of it until afterward. The right thing to do is to calmly ask one of the administrators on your Google account to:
- Change your password (and provide you with the new password)
- Generate backup codes to use until you can get your 2FA device back
- Use the new password and backup code to access Google's Find Your Phone page
Side note: You can even generate a physical print-out of these 2FA backup codes (Google, Dropbox, Slack) and carry them in your wallet. Sadly, I stored all my backup codes as encrypted notes in LastPass. Also, LastPass itself doesn’t allow backup codes for LastPass access.
Turning off 2FA on LastPass
I didn’t think of resetting my Gmail password immediately and instead became focused on trying to restore my access to LastPass, which would also give me access to my Google account.
Now obviously people have lost their phones before, and it should be easy to get access to LastPass without your 2FA device. LastPass has the following helpful page describing the process.
I clicked the “I’ve lost my device” link below the Google Authenticator prompt and followed steps to send myself an email. I received the email, clicked on the helpful link, it appeared to work, and then I tried to log in. This yielded perhaps the most frustrating moment of the entire ordeal. After entering my master password, I was prompted to set up Multi-factor Authentication to access my account.
I contacted Ben Chavet, our system administrator, on Slack and proceeded to panic.
We realized that we had set a policy, organization-wide, that 2FA was required. That policy was overriding my individual requests. Ben needed to turn off the policy for the entire organization before I could get access using my master password. Luckily, I had a level-headed companion to help me figure this out.
In retrospect, LastPass was the wrong focus, but it was still important. Assuming a thief was able to unlock your device, there’s a small chance that your LastPass might be specified as a “trusted” device for 30 days and open automatically. Changing the password prevents that potential vulnerability. In LastPass, you can also disable access by targeting the lost device under Account Settings → Mobile Devices.
If you can't locate, go nuclear…
With LastPass access restored, I was able to get my Google password and backup codes. For some reason, my Android phone was pinging home but Google Find My Phone was unable to locate it. At this point, Ben and I decided to erase it. I remotely wiped the device. I was lucky, I had a network connection, and I was also able to look at the requests that had been made on my phone and there was nothing after Uber. (Android has a more robust feature set than iOS in this regard since you can see information about any sessions on your phone along with a timeline.) I probably could have tried harder to find the phone, but in the end, my immediate peace of mind was worth more to me than the phone. My wife had called the Uber driver who said that he didn't find it but he'd had other rides. Uber had a nice interface for reporting lost devices and connecting to your driver, but in this case, it was a dead end.
Get control of your SIM Card
Finally, if you’ve erased your phone, you must deactivate the SIM card with your wireless provider. Remember that many 2FA schemes use SMS messages to send authentication tokens. You definitely don’t want someone to take control of your SIM card. You may be able to do this via your cell service provider's website if you have a laptop but lack a phone, as I did. Have someone send you test text messages and voicemails to verify deactivation.
In Short
In retrospect, while having your 2FA authentication app limited to a single device "limits your attack surface," it also means there's a single point of failure. Authy offers a multi-device "inherited trust" model, allowing you to protect lost devices, limit new accounts being created, but also to have 2FA spread across multiple devices, avoiding the single point of failure problem.
Here’s a quick summary of the steps I covered in my personal odyssey with a lost 2FA device.
- Use Find my Phone if you have access to it on another device.
- If you don't, retrace your steps and try to find it.
- Can't find it? You’ll need access to your email first to successfully turn off 2FA on LastPass. An admin on your Google account can provide a new password and backup tokens if you don’t have them.
- If you use LastPass and have 2FA turned on for the organization, you’ll need to have an account admin turn it off before the email reset will work.
- Once you have LastPass and Email you should be able to access your other accounts. This is also a sobering reality.