Two-factor authentication (TFA) found on the web usually requires something you know (your password) and something you have (your phone). Sounds nice, unfortunately I recently discovered some downsides and aspects that one should look into when enabling TFA.

Very short background information: I recently came to Hawaii for the summer and I had TFA enabled on my Facebook and Dropbox accounts. For unknown reason I had disabled it temporarily on my Google account.

When I was waiting for my flight in Schiphol airport in Amsterdam, I wanted to log into Facebook. After entering my email and password, I was expecting a text message containing the 6-digit security code. Even though I could exchange texts with Estonian numbers, I never received the security code. I didn’t pay much attention at the time and just carried on.

After landing on Hawaii, I tried again logging in. Same thing happened - never received the code. I went through some password reset pages and even though I could change my password, I could not log in. I contacted my carrier and asked why I can’t get my security codes. After a day or two I got a reply stating that this should be Facebook’s problem. So I sent an email to them as well. I have not heard from them even after two weeks.

Anyway, by now I had already a local number in the U.S. and to my great surprise, I was able to change the phone number of my FB account without having to log in. As a security measure, this was completed after 24 hours of my request. So after a week or so being in Hawaii, I could finally log into my Facebook account. Not that I missed anything important during that time, but still some useful information was floating around there.

Couple of days ago I got another email from my Estonian carrier where it was said that it is impossible to receive texts from Facebook while being abroad. WTF!? I logged into Dropbox as well and did receive the code with my Estonian number.

Avoid being locked out

I thought that just turning on TFA with one phone number would be enough. Unfortunately I was wrong. After digging deeper in settings, I found several useful things.

  • Add at least two phone numbers - Most sites allow adding secondary phone numbers. So when you can’t access one, you can request the codes to be sent to other phone(s).

  • Write down and store securely Dropbox “last resort” codes - When turning on TFA in Dropbox, you get a code which can turn off TFA in case you have no access to your phone. This code should be stored in a safe place. In my case I had this on my secondary computer which I can access over SSH even though luckily I did not have to use it.

If I had TFA enabled on my Google account, I would have been in a trouble. Well not quite, since I had application-specific password for the Gmail app on my Android. But without my smartphone I would have been screwed. So learn from me and add some fallback methods to your online accounts.

tags: security authentication