Multi-Factor is incomplete without backup codes

[ This article was originally published here ]

This blog was written by an independent guest blogger.

I was logging into one of my favorite online shopping sites the other day, and, as with all my other sites, I was presented with the multi-factor authentication prompt to complete the login process.  Anyone who knows me, knows that I have been a long-time supporter of multi-factor, or 2-step verification of any kind. 

The only problem I had with the login on this occasion, was that my phone was dead.  Like most folks, my phone contains the authenticator applications that allow me to log into most of the sites that do not allow the use of a FIDO hardware token.   This created an unusual conundrum, whereas, not only does my phone contain the authenticator application, but the only backup method the site offers is to send a text message to a registered phone number if the authenticator application is unavailable.   The problem is that the registered phone number is attached to the same dead phone that contains the authenticator application.

Usually, this is not a problem, as most sites that have fully thought through their implementation of multi-factor authentication have also considered the problem of the lost, or otherwise non-functioning phone, and they issue one-time codes when the 2FA process is first enabled.  These codes can be stored in a safe place.

Recently, when Google announced to a select group of GMail users that their mail account will be forced to use multi-factor authentication, many people protested.  While I can understand the shock that many felt at the imposition of an unsolicited change to the login process, I commended the fact that steps were being taken to protect these vulnerable accounts.  Google also did everything right, that is, they gave people multiple options to verify the log in process, including one-time backup codes to be used if the authenticating device is unavailable.

Many people who dislike multi-factor will lament at the thought of also having to store what amounts to other passwords, as one-time codes can arguably be thought of as just another password.  This is where a password manager can serve double-duty to assist the password-weary.

Most password managers offer text fields that often go ignored and unused. However, that big open space can be used to store a ton of useful information.  For example, the one-time codes can be stored there, in addition to the random answers to the common security questions asked by many sites.

MFA backup

None of what I am positing here should be misinterpreted to think that I am against multi-factor authentication in any way.  Until passwordless technology replaces the current methods, I will remain committed to supporting 2FA as the best method we have right now.  In the meantime, the problem that needs to be addressed is how to get more sites to fully realize their multi-factor implementations, and offer one-time codes along with whatever other methods they use for their enhanced security options.  One has to wonder why this was overlooked in the first place?  Until these solutions are established, I suppose I need to be more diligent about keeping my phone charged.  Happy shopping!

Ad