Solving Problems with Multi-Factor Authentication

In our last post we looked at several problems you might encounter using two-factor or multi-factor authentication.  If you have two-factor authentication, or are thinking about using it, there are some additional steps you should take in case you lose your second factor and have to re-establish access.

  • How do I recover my account?  Learn this in advance of actual need.  Dig into your account profile find the instructions for recovering your account.  You might even want to give it a dry run to see what obstacles you might face.
  • Backup email address – Just have the one email address?  You need a second email address as a backup.  Often, it is the email address associated with your Android or iPhone account.  Or create one on Yahoo, Gmail, or
  • Answers to knowledge based questions – These are the familiar “grandpa’s middle name” or “name of my elementary school” questions.  Set up the answers and write them down in your password manager.
  • A list of printable backup codes – Google Authenticator provides this opportunity, as well as other 2FA systems.  These can be helpful in the event your battery dies too.
  • Create a trusted computer – This is really a “trusted location” that includes information not only about your computer but also the public IP address of your Internet router.  Logging in from a trusted computer does not usually require the second factor, and that can give you the access you need to re-establish your account.
  • Create a trusted third party – Some two-factor services allow you to get help from an person you nominate to help in case of emergency.
  • Back up the Master Secret – This is the QR code or 16 digit alphanumeric security key that you use to set up your account in the first place.  Take a picture of the QR code or a copy of the security key and save it in your password manager.
  • Recovery codes – These are shorter one-time passwords you can use to recover an account.  Again, saving them in your password manager keeps them secure
  • Add an additional second factor – This may seem crazy – crazy like a fox.  Many sites allow you to register more than one second factor.  Lose your phone?  If you have also enrolled a USB security key, you can switch to that while your phone is being replaced.
  • Limit your use. – Not every account needs two-factor authentication.  You should definitely protect your email account, web hosting account, social network accounts and financial accounts, and shopping accounts where you have a credit card on file.  Basically anything having to do with your money or your identity.  Do you need 2FA on a news, sports, or general interest account?  Probably not.  Just use 2FA where it makes sense.

I understand, perhaps better than many, that cybersecurity is basically a PITA – a pain in the backside.  None the less, in the world we live in, it has become an indispensable part of everyday life.  Hopefully we have not scared you off from using multi-factor authentication.  But with a little planning, you can make the experience easier for you if things go wrong.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.