ONE thing I could never be accused of is rushing into things. My last blog about two-factor authentication (2FA) was in March. Here we are in July and…I’m no further forward. That’s not because I’ve not done anything, 2FA-wise (although what I have done has been at a snail’s pace – a particularly slow, lazy snail on holiday, that is). It’s because, having installed Authy on my devices, when I finally got round to setting up 2FA on one of my email accounts, I discovered I’d made a schoolboy cyber security error and ended up having to start again.
Let me explain.
With Authy installed on my Android smartphone, an iPad and a PC, I launched into setting up 2FA on a Gmail account, following Google’s instructions in conjunction with Authy’s Gmail 2FA guide. After being temporarily flummoxed by the lack of text message from Google, it eventually worked and the 2FA token was stored on my phone. After that, Authy on the phone urged me to enable backups (of 2FA tokens to Authy’s servers), which I did. This then synched the newly-protected Gmail account and the backup password to my iPad and then to Authy for PC.
Next, I set the local PINs on the iPad and phone, plus the Master Password on the PC. These control local access to the apps as an extra layer of security.
So finally I had one account protected with 2FA (Gmail) and the apps configured securely (I hoped). I assumed that because I had Authy in three places and the codes are backed up to the cloud, I didn’t need Google’s suggested “alternative second step”, such as downloading printable one-time passcodes.
Finally finally, I had to try it. So I signed out of my Gmail and went to sign back in. This was on my PC, so when prompted I simply went to Authy Desktop, entered the Master Password to enter the app then clicked the relevant Gmail account. Authy gave me the TOTP (Time-Based One-Time Password) which I duly entered and gained access to my Gmail account. Hooray!
Forgetting to remember
So what was the problem? Well, the setup and testing I described above were done in a fairly short space of time, and I’d memorised the local PINs (for the Android and iOS apps), the Master Password (for the desktop app) and the backups password (for, well, backups). Being a (supposedly) smart chap, I knew I had to keep a record of these and that said record had to be secure. Not only that, I happened to be running a proper password manager thingy, so that was clearly the place to store those useful bits of info. Which I did.
Or so I thought.
Because by the time I next needed to 2FA my way into that Gmail account, I’d forgotten the PIN, etc. And it was then that I discovered that, somehow, I’d failed to store the info in my shiny password manager.
Strangely, but to my relief, I found that when I wanted to log into my Gmail account on a new device it gave me the simple option of using an SMS for the second factor. I was a bit surprised because I hadn’t configured this (although Gmail knows my mobile number). What’s more, thinking about it, if it was that easy to bypass the authenticator app method, presumably someone who stole my phone could have just done the same thing!? Unless I missed something, that kind of blows a hole in the TOTP security…No, I’m sure I must be mistaken; I’ll see if the helpful folks at Authy have come across this before.
Anyhoo, I was back in to my Gmail account so now I needed to decide what to do about Authy. The Authy FAQ on PINs, etc. told me that if I lost the app PIN / password I could recover by uninstalling and reinstalling. So I tried that on the iPad, but after reinstalling and re-entering my phone number, Authy told me that because I’d got multi-device turned off I couldn’t add any new devices!! And since my Android and Windows installs of Authy were also inaccessible, I was in a bit of a pickle.
Fortunately, the Notification of Doom told me what I have to do:
Sooooo…I’m off to reset my Authy account and try again.
Watch this space…