Published on July 02, 2013
Two-factor authentication (TFA) found on the web usually requires something you know (your password) and something you have (your phone). Sounds nice, unfortunately I recently discovered some downsides and aspects that one should look into when enabling TFA.
Very short background information: I recently came to Hawaii for the summer and I had TFA enabled on my Facebook and Dropbox accounts. For unknown reason I had disabled it temporarily on my Google account.
When I was waiting for my flight in Schiphol airport in Amsterdam, I wanted to log into Facebook. After entering my email and password, I was expecting a text message containing the 6-digit security code. Even though I could exchange texts with Estonian numbers, I never received the security code. I didn’t pay much attention at the time and just carried on.
After landing on Hawaii, I tried again logging in. Same thing happened - never received the code. I went through some password reset pages and even though I could change my password, I could not log in. I contacted my carrier and asked why I can’t get my security codes. After a day or two I got a reply stating that this should be Facebook’s problem. So I sent an email to them as well. I have not heard from them even after two weeks.
Anyway, by now I had already a local number in the U.S. and to my great surprise, I was able to change the phone number of my FB account without having to log in. As a security measure, this was completed after 24 hours of my request. So after a week or so being in Hawaii, I could finally log into my Facebook account. Not that I missed anything important during that time, but still some useful information was floating around there.
Couple of days ago I got another email from my Estonian carrier where it was said that it is impossible to receive texts from Facebook while being abroad. WTF!? I logged into Dropbox as well and did receive the code with my Estonian number.
I thought that just turning on TFA with one phone number would be enough. Unfortunately I was wrong. After digging deeper in settings, I found several useful things.
Add at least two phone numbers - Most sites allow adding secondary phone numbers. So when you can’t access one, you can request the codes to be sent to other phone(s).
Write down and store securely Dropbox “last resort” codes - When turning on TFA in Dropbox, you get a code which can turn off TFA in case you have no access to your phone. This code should be stored in a safe place. In my case I had this on my secondary computer which I can access over SSH even though luckily I did not have to use it.
If I had TFA enabled on my Google account, I would have been in a trouble. Well not quite, since I had application-specific password for the Gmail app on my Android. But without my smartphone I would have been screwed. So learn from me and add some fallback methods to your online accounts.