Two-Factor Nightmares

Chances are that by now many readers will have moved on to Two-Factor Authentication (2FA) for their most sensitive logins. The industry has been relentless in its support of this feature, sometimes forcing it on you for your own good. But not everything has been a field of daisies. I had a near-miss this very morning, which encouraged me to write this cautionary tale and offer some solutions you may find useful.

This morning’s near-miss was with the Google Authenticator app on my iPhone. I had been using it increasingly as a second factor for Google itself, plus this blog, plus some other highly sensitive logins. I loved the fact that I did not have to wait for a text message that might never come (if you are abroad, for instance), or that is insecure to begin with if you are being targeted (phone data is not encrypted in transit). I also hated that fact that there is no way to correct a particular setup without removing and resetting the 2FA.

But it gets much worse. I had recently upgraded my phone and restored all the apps from the previous one, including Google Authenticator. But this does not copy the accounts set up in the app. When I opened it this morning in order to edit a post on this blog, I found no accounts on it. I was locked out, with no recourse to the system administrator since I’m the top guy. I had been in a similar situation a few months ago (more on this later), so I didn’t break out immediately into a cold sweat. The move to 2FA was fairly recent, and I still remembered where I kept the one-time backup codes for my blog. That got me in without the app, and I didn’t waste any time before turning 2FA off and heaving a sigh of relief. Now I’m able to write about it so others can learn from my mistake.

The mistake consisted of not reading the fine print on Google Authenticator (wherever that is; I had to find out from a third-party blog post) to the effect that entries set up in the app do not get restored along with the app. They need to be moved from one phone to the other using a process within the app, involving a QR code displayed on the original phone and read by the successor. Fortunately, the phone upgrade was very recent and I still had the old phone with my content on it because I was waiting to erase it since the new phone has some problems. I opened the app on the old phone, displayed the QR code, and presto!, the new phone got the Google entry copied over. Not so the other entries, which had disappeared mysteriously. This was probably due to having restored a phone backup from a time before those entries were added, due to some problems with the phone. Again, no recourse, but I had backup codes for this blog and the 2FA for Firefox had been moved to the Authy app, which I had been able to re-enable without the old phone.

Losing 2FA for Firefox would have been a more serious nightmare because I am a Firefox developer and they force 2FA on their developers. In fact, it was a nightmare last summer, and this is why I had moved the authentication role to Authy. Take a deep breath before you keep reading.

This is what happened last summer. I had new versions of my Firefox extensions to upload, and suddenly the website stopped accepting any of the 2FA codes Google Authenticator was producing. It did not accept the one-time backup codes, either. I contacted Mozilla, the organization behind Firefox, and it took blood sweat and tears to get a reply from a human, more than a week later. I got no sympathy even after explaining to this person that it was in Mozilla’s best interest to help me regain access to my account because a lot of users would be depending on the updates. No willingness to escalate to someone who could do something. Essentially, if the 2FA app could not authenticate me, I was supposed to be dealt with as an interloper trying to gain access for who knows what nefarious purpose. This lasted about a month, and then I ran into some backup codes stored in my computer that did work. Now in good digital terms with Mozilla, I tried to disable 2FA, to no avail because it is required for developer accounts and there are no options.

I have not updated my Firefox extensions since, and now that they are updated to Manifest v3 in Chrome (if you are a developer you’ll know what I’m taking about) Mozilla won’t take them because they are not yet prepared for Manifest v3. It’s probably going to be “So long, Firefox.”

Lessons from the foregoing, in case you have not figured them out yet:

1. Stay away from Google Authenticator. It has serious flaws that may leave you in a difficult spot when they surface. Support is nonexistent.
2. Stay away from Mozilla. I won’t argue about the quality of their products. It’s their processes and design decisions that are rather deeply flawed.
3. Stay away from two-factor authentication apps if you can help it.

But, isn’t 2FA supposed to enhance security with a minimum of hassle? Why then is everybody jumping on the 2FA bandwagon? I guess that depends on your definition of “minimum of hassle”. It is indeed quite bearable while things are running smoothly, but my experience has shown that you enter a sea of trouble when anything goes wrong. Those who should be helping you to regain control of your digital assets instead treat you like a criminal, because that’s the protocol, because 2FA cannot possibly fail for the rightful user. I see a huge pushback looming on the horizon as the flaws of 2FA and horror stories like mine become better known. But then, what’s the alternative?

Okay, here’s a few:

1. 2FA via code sent by SMS or email. The security added by these methods is fictitious. Neither phone lines nor email are encrypted. Anyone tapping the information as it travels toward you can intercept the code and impersonate you. Perhaps out of reach for casual hackers who happen to get a hold of a list of user IDs and passwords (which should never be stored in plaintext, anyway), but certainly not out of reach to those targeting you.
2. Biometric authentication. Most likely done via images of your face, fingerprints, etc. Aside from the fact that biometric methods as sophisticated as Apple’s Face ID (special 3D sensors required) got fooled within hours of Face ID’s release, if your biometric data get compromised you are hosed for life.
3. Answer to secret question. Last year, my bank asked me for the answer to my secret question, but they could not tell me what the question was. Can imagine yourself squeezing your brain and kicking yourself for not writing secret question and secret answer on a piece of paper? I can now.
4. USB key. Probably very secure, but the software needs to support it. You can forget about phones and tablets, unless you use special dongles that you won’t have on you when the need arises. Easy to lose or forget inside a deep drawer, and then you’re hosed. Someone might steal it inadvertently as he/she/whatever (yes, criminals can be non-binary too) tries to get your credit cards, and then you’re hosed.
5. A really good password. The problem is, this is what we are trying to get away from. Really good passwords are really hard to remember, and then you’ll be trusting your digital assets to a piece of paper or a text file.

Number 5 is where password managers come in. They’ll remember good passwords, which can be different for different websites (highly recommended); they’ll store them securely (or so they say) so you can get them anytime, anywhere. Heck, they’ll even make a really good password for you if you can’t think of one. But there are problems with those, too. Shall we list them?:

1. Passwords stored “in the cloud” can be hacked. In fact, hackers are not stupid and they go straight to the source. LastPass was hacked twice in 2022. The damage caused by that is still to be evaluated.
2. Password managers tend to be intrusive. They do their job by looking at every page you type into and offering to save the passwords contained in them. What if you don’t want them to know this particular highly sensitive password? Too late.
3. It costs them to back up your valuable secret info, and so they want money from you. Quite legitimate, but sometimes they go too far. For instance, a few months ago 1Password v7 (the paid version that was supposed to last indefinitely after you bought it) stopped filling passwords on Chrome. This happened because Google changed a public key that was not updated in the 1Password extension. Coding this would have taken a few minutes, but they wanted to “encourage” all their customers to sign up for their subscription-based app, including those who had already paid for the full product, forever. Hey, what’s wrong with making money?
4. They tend to make duplicate entries that persist after a password change, and then you don’t know which one is the good one. Add to this the penchant of banks and suchlike institutions for limiting the number of failed logins before they lock you out, and you’ve got trouble. This is especially bad if they are in a different country and their policy (or their limited setup) prevents them from sending you something as simple as an SMS. It happened to me twice last year.

I used to trust 1Password to remember logins for me, but since they started “encouraging” me to sign up for a subscription I’ve been moving on to a fairly successful combination of the following:

• The browser’s own password manager. It gives me the willies that Google certainly is able to see my passwords stored in Chrome, since they can tell me when any of my passwords has been compromised. To convince yourself, navigate to their password site, and try to see any of your stored passwords. You’ll only need your Chrome login, which they also have, to get the plaintext. I guess I would need to place a similar level of trust on 1Password, LastPass, or any of the others but the browser should be more reliable and doesn’t ask for money. Although Chrome also makes conflicting duplicates from time to time.
• SynthPass, which is the most sophisticated password synthesizer out there. I like it especially because I wrote it, but even so I was not trusting it completely for a quite a while. Ever since 1Password disconnected from Chrome I’ve been using it more and more and it has never let me down. It has never asked me to change my master password, and there is no reason why it should do that in the future. I’ve been able to use it on new computers and new phones. I never needed to make an account. I can see the code as it executes. And it has never asked me for a penny.

You can get SynthPass from the Chrome and Firefox web stores. You get it also when you install FusionKey or PassLok Universal, which add email encryption and other features.