Two-factor auth’s Achilles heel: switching smartphones

By | May 16, 2017

Two-factor authentication (2fa) is absolutely a good idea.

Furthermore, 2fa using an authenticator app such as Google Authenticator [Android][iTunes] or LastPass Authenticator is a much better idea than SMS. If a hacker really wants to break into one of your accounts, and you use SMS 2fa, the hacker can intercept the text message with your 2fa code in it.

But there’s a problem: if you use a 2fa app, then migrating to a new smartphone is time-consuming and painful. You need to visit all of the sites for which you use 2fa and reconfigure them all, one by one, to use the 2fa app on your new phone rather than your old one.

And that’s not even the worst of it. If you lose your smartphone or it breaks and your 2fa app is suddenly no longer usable, reconfiguring 2fa for all of your sites is even harder, since many sites will make you jump through extra hoops to prove who you are before they will let you disable or reconfigure 2fa.

If your smartphone is rooted, then you may be able to back up your 2fa app’s data and copy it over two a new phone, but this is hardly an ideal solution.

I have 32 separate accounts configured in the 2fa app on my phone. The last time I had to migrate to a new phone, it took me literally hours to get everything moved over. Then it turned out that the new phone was defective and had to be replaced a second time, and I had to do it all over again. At that point I decided enough was enough. Here’s what I did to ensure that the next time I have to migrate my 2fa app to a new phone, it’ll be much less painful.

Adding a site to a 2fa app involves the following basic workflow:

  1. The site displays a QR code.
  2. You scan the QR code into the 2fa app with your camera.
  3. You enter a 2fa code generated by the app into the site to confirm that you’ve successfully scanned the QR code.

As I was migrating all of my 2fa accounts for the second time, I modified this workflow as follows:

  1. The site displays a QR code.
  2. You take a screenshot of the window displaying the QR code and save it into a directory that is on your local hard disk.
  3. You scan the QR code into the 2fa app with your camera.
  4. You enter a 2fa code generated by the app into the site to confirm that you’ve successfully scanned the QR code.

Then, after I was done migrating all of the 2fa accounts, I did the following:

  1. I encrypted all of the saved screenshots using my GPG public key, so that they can only be decrypted with my GPG private key, which has a long, secure passphrase.
  2. I moved all of the encrypted screenshots to a thumb drive.
  3. I used a secure delete utility to securely wipe all of the original, unencrypted screenshots.
  4. I put the thumb drive on my keychain which I now carry around with me.
  5. At home, I copied all of the encrypted screenshots to an SD card and stuck it in a drawer for safekeeping, so I have a backup if I lose the thumb drive.

Now, when I need to migrate my 2fa app to a new smartphone, I’ll do the following:

  1. Copy the encrypted screenshots from the thumb drive to a local directory (one command).
  2. Decrypt all the screenshots (one shell loop, followed by typing my GPG passphrase once, since my GPG agent will remember it the first time I type it).
  3. Pop up an image viewer that pages through the unencrypted screenshots one at a time, and add them all to my 2fa app in quick succession.
  4. Secure delete the unencrypted screenshots.

This works because QR codes are not time-bound. You can add the QR code generated by a site to your 2fa app a day, a week, a month, or a year after it was first generated, and it’ll work just fine, as long as you haven’t reinitialized 2fa on the site.

This will be a heck of a lot faster than having to visit, log into, and reconfigure 32 sites one at a time!

Moving forward, if/when I add a new account to my 2fa app or I need to reinitialize 2fa for a site, I just need to remember to capture a screenshot of the QR code and add it to the thumb drive and eventually the SD card as well. Even if I don’t remember that every time, having most of my 2fa QR codes backed up like this is a heck of a lot better than not having any of them.

I’m not terribly worried about someone stealing my thumb drive or my SD card backup of it, because they would need to either also steal my GPG passphrase or brute-force my GPG key for the stolen data to be useful, and accomplishing either of those is rather difficult. Also, I of course use long, strong passwords on all of my important sites, so even if they somehow got access to my 2fa codes, they still wouldn’t be able to log in as me without also stealing or brute-forcing one of my passwords. Having said that, if one of them were stolen, then out of an abundance of caution I would reconfigure 2fa on all of my accounts to invalidate the stolen QR codes. That would be a hassle, but it’s a much lower-probability event than having to migrate two a new smartphone, which I know I’ll have to do periodically, so I’m optimizing my workflow to make the latter easier rather than to avoid the former.

There are other solutions to this problem.

A modified version of the solution described above is to securely store the string of characters which represents the 2fa seed, i.e., the same secret that is embedded in the QR code. I don’t like this solution for several reasons:

  • It’s a heck of a lot slower to have to type a long, random 2fa seed into your 2fa app than to scan a QR code with your camera.
  • Not all sites that support 2fa show you the 2fa seed.
  • The data in QR codes usually includes the site names and usernames, which are then visible in the 2fa app, but raw 2fa seeds don’t have that information embedded in them, so you have to type it by hand into each account in the 2fa app after entering its seed.

Another option is to use a physical 2fa device such as a YubiKey, rather than a 2fa app. YubiKeys let you back up the data stored on them and restore it later onto a different YubiKey. You would presumably store the backup in a safe, encrypted, air-gapped location, like I’ve stored my encrypted QR code screenshots. I prefer not to use this approach because I don’t want to have to deal with having to carry a second device everywhere, in addition to my smartphone, to be able to log into everything.


Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *