I went though a similar problem about 10 years ago. In my case, the phone (iPhone 4S) wasn't lost, but it's clock was perpetually off. The WiFi radio had failed and the Stratum 1 time server on my mobile network seemed to be sending it the wrong time. This resulted in all of the MFA TOTPs getting rejected and me not being able to access Gmail for a year. Despite the clock issue, many things still worked, presumably because this was still back when much of the internet used either weak or zero TLS/SSL.
There is no such problem as you describe, because you were never limited to a single device like that. You just didn't know it because both the totp app and the site that used it conspire to not tell you something very simple.
Which is that all you need is the seed value from the original qr code or url, or sometimes it's even just displayed in plain text on screen. But it's perfectly readable from the url or qr code too. That value is all you need to generate valid current totp codes on a new device, or on 30 different devices and platforms all at the same time.
It's no more difficult or risky than any other password. It's just a short random string you have to store any way you want anywhere you want any number of copies and forms you want, and can use on any new device you want at any time.
You can have as many working totp generators as you want, all at the same time. You can spin up a brand new device from scratch any time you want.
But the apps and sites don't tell you about that, and instead give you the one-time-use emergency codes, and only display those one time, and if it's 10 years ago and the whole process is a mystery, you can easily blow through that screen without realizing it was actually important to capture those and then not lose them. (And with the seed value, the emergency codes are no longer important.)
In the case of your defective phone, had you known to save the original seed value, you just grab any other new phone, or your laptop, or anything, install whatever totp app you like on that, fetch your password db however you like (that doesn't itself require totp), and add the saved seed values in the new totp app, and it starts generating current valid totp codes.
keepass actually does both in the same app. It can not only store the seed value just like a password, it will also display/clipboard the current totp code the same as any other totp app directly itself.
Yes! That is exactly what I did in the aftermath of that iPhone 4S fiasco. I went though some iterations of Android phones and made sure I got the TOTP seed in the MFA app on both devices. Eventually I moved onto TOTP apps that can sync these and stopped worrying about it.
Uber effectively doesn't have customer service--or at least it hasn't for the past few years. You can no longer simply "call" and the out-of-app email is a chatbot ouroboros straight out of dystopian fiction. Think Gilliam's Brazil, but worse.
After a few failed Uber pick-ups and one instance of a mysterious 27% post-ride "corridor fee", my policy moving forward was to simply no longer do business as a paying customer with any business that doesn't have actual customer support.
This meant, among other things, migrating off of Google, a few brokerage accounts, and one national bank.
Doing a "support test" is also now one of the very first things I do as a new customer of any company.
So far, I have zero regrets. In a perverse way, I give Uber credit for providing the impetus for those decisions.
> email is a chatbot ouroboros straight out of dystopian fiction
Hold on there. The chatbot may be dystopian, but an ouroboros is never dystopian. An ouroboros represents cyclicality, unity, or the eternal return, but not in a dystopian context of meaninglessness. An ouroboros is meant to grant a grand perspective, not to be a well of misery.
From a historic mythical standpoint, you're absolutely correct.
I was using it as a topological (I guess technically graph-theoretic) metaphor for the self-consuming looping that was/is Uber's email support system.
Over the course of 36+ hours, multiple "support agents" kept re-quoting either my responses or their own responses as "the newest escalation". It was hilarious and also sad. I just ended up doing a charge-back on the card.
No, just save the seed value. The one-time-use emergency codes are pointless.
You can have 40 different devices all generating valid current totp codes at the same time, and you can spin up a new one at any time if you kjust have any way to access your passwords.
IE, if you have any form of copy of say a keepass db anywhere, it can contain the seed values for each site right along with the passwords, and you can buy a brand new phone or laptop, of any platform or os, and install any keepss compatible app, and load that db file, you will need to know the password for that db file itself out of your head, and then keepass itself can display the totp codes or you can read the seed values and enter them into some other totp app to generate the totp codes.
Always have accessible copies of your password manager db that's all. The seed values are just more stuff you keep in the db just like the passwords.
The problem is just that no one tells you that the number in the original qr code is savable and reusable. They show you the qr code or a url and don't tell you that it's the keys to your own kingdom. They let you just throw it away without ever telling you what it actually was.
If you have a working totp for some site right now, go and use it one last time to disable 2fa on that site, and the re-enable it, and this time keep the seed value. Put it right into a keepass db and sync that to at least one other place. Safe for life after that.
The one-time-use emergency codes you can ignore. Fine keep them, but they don't give you anything you don't already have with the seed value. Maybe they could be used to give to like family members or employees or something for weird never-actually-use-this scenarios, the one-time-use nature might be useful, and the ability to revoke it by just using it yourself to burn it.
I've screenshots of every QR initialisation I've ever used saved to a specific folder and backed up on a usb stick. I also copied a giant QR which is the "copy your auth app" sequence for all of them. I printed that one out.
You could have more the one backup. You could split them with shamir secret sharing, if you want to get fancy. You could take an old iPhone, or reflash an old retired Android with LineageOS or GrapheneOS, and keep it in a safe but accessible place as fallback TOTP device.
Have as few or as many as you want. If you want to keep 0 copies and then lose access to the one working device, that's on you. It's no different from any other password.
The one-time-use emergency codes are stupid. The seed value is all you need, and it's just another secret like the password. You can copy it in any form you want, and use it on a new device or on 13 differnet current devices, whatever.
The danger from losing the seed value is no different from the danger from losing your password. The difficulty of keeping and re-using the seed value is also no more than for any other secret or password.
The totp apps and sites that use them create a problem where there isn't any by simply not telling you to save the seed value. It's perverse, becauyse they do give you the seed value. They have to. They show it directly to you because it has to go through you to get from a web site into a totp app.
That might be automated by a qr code, but they had to display the qr code to you, and you can just as easily copy and read that qr code as the totp app can.
It's effortless to save it along the way. But they just don't tell you what it is and don't tell you to keep it.
THAT is the only reason you end up screwed later.You were essentially not told what you were holding briefly, and told to discard it, but it's actually the keys to your kingdom and you can just, not throw it away.
Or do throw it away and then try to make silly arguments about how you're locked out.
But unlike your original birth certificate and your social security card, you can keep an arbitrary number of copies of your backup codes in an arbitrary number of safe caches.
But what if I did't do any of those things? What if I made a mistake and didn't save my backup codes on 3 different types of storage medium (at least one of them offsite)?
Certainly, if you construct enough postulates, you can wind up in some funny places. If you forget your cash, is a shop obligated to give you the goods for free? What if you fail to read the sign in the car saying "NO LOBSTERS" and you have your crustacean for a walk?
What if you made a new Uber account with another email address? Would you be committing a venal sin?
Your actual sin, non-venal, was not naming the thread either "I love reductive argument ad absurdiam" or "Uber needs a real human on the helpdesk, this is why"
> What if you made a new Uber account with another email address? Would you be committing a venal sin?
Uber accounts are tied to phone numbers. Should I get a new phone number just because Uber's support bot is incapable of helping me recover my account?
So you're hitting upon an actual problem that we encounter often in the tech age. It turns out there's a whole category of users who have this problem: users who have no secure place to store secondary data. In other words: the homeless.
They have access to the Internet at libraries and as more and more of the world goes on line, that access becomes more and more necessary. But they don't necessarily have a wallet (let alone a safe) to store passwords and 2FA tokens, and when they lose them it's a major issue.
This is a known problem but (as with so many issues in marginalized communities), the challenge to solving it is that it will make the system worse for everyone (including them) if we relax 2FA requirements; hackers can crack passwords on, and impersonate, the homeless just as easily as everyone else.
(The best idea I've actually heard in this space is for librarians to be willing to serve as data repositories for their local unhoused patrons. They are onsite enough and have enough face-to-face interaction to be able to spot-auth someone because they know them by name. But there's a massive liability concern about the library becoming a target for identity theft that keeps most places from considering it).
You can always just fix it now as long as you have anything that works now.
You don't need the annoying one-time-use backup codes either, you can save and copy and reuse the original seed value just like any other secret. Or generate a new one now and save that, if your current single copy is not in software that provides a means of export.
The seed value is just another password. You can have any number of copies of it in any number of forms from a text file to printed in a safe deposit box. You can have any number of working copies of it on any number of different devices, all at the same time.
If you are in another country with nothing but your head, you can buy a new device, use it to access a copy of your secrets by any means you want, install software fresh, load your seed values, and regain all your totp.
You will need a way to access your secrets without totp. This can be anything, a paper copy, a sd card, an online service that you can access with only a password or that can be recovered, a phone call to a family member who you can tell how to access something and read it to you, whatever, it's just some text you have to stick somewhere and get back to later.
And if you don't have either the one time codes or the original seed value (from the original qr code or url) but you have an app that works right now, you can go redo it and this time save the seed value.
There is really no danger from totp EXCEPT the fact that most common apps and web sites obfuscate what's actually going on, and don't tell you to save the seed value, and instead give you these one time use codes. That creates a danger where there wasn't any.
Ideally, for proper security one should not do the convenient thing and store both the normal logn and the totp seed value in the same place, but for instance keepass can store everything and not only store the seed value but also display the current totp code to use for logging in.
All your 12 different copies of your keepass db file are all fully functional totp generators, and all you have to do is just load that db on any new device.
Harsh but let this be a lesson to set up a more resilient structure for yourself moving forward. Anyone can make mistakes. You can set up failsafes for your own ones pre-emptively.
"2FA is garbage" is not the right lesson to learn here...
There is no such problem. It's not even the emergency codes. Those are just a silly misdirection all sites engage in.
When you set up 2fa, you just save the seed value exactly the same way you save any other good random password you rely on a password manager to keep for you.
It is exactly as difficult and exactly as easy and exactly as portable as the regular password.
They just don't tell you that the number in the qr code is something you can keep and re-use exactly like the password.
They lead you to throw that away and give you the stupid emergency codes instead. But just, don't throw it away that's all.
It's the keys to your own kingdom. If you throw it away, yes, you can lock yourself out. One way you could solve that is by not having any keys, or another way is by just not throwing away your keys.
You were never limited to any single magic device that better never break or get lost. You can have N different devices all generating the same valid current totp codes at the same time. You can set up a brand new device any time you want, if you just have any form of access to any copy of your password db.
Flagging this was correct.
What is wrong with 2fa is the way all the apps and sites don't tell users what the seed value is and don't tell them to keep it and thereby put the users into a risky position they never had to be in. It's criminal if you ask me, like a doctor or lawyer giving bad advice.
Why do you care about an Uber account? Can't you just create a new account and start over? The accounts I care about are the ones where I've got important files or data stored in them.
Ah - interesting. I just created a new Uber account here in NZ and during the sign-up process I get this: "Enter your mobile number (Optional)". No need to enter a mobile number.
> Never enable 2FA for accounts that you actually care about
This is an extremely bad take for two reasons:
1. The author failed to store the 2FA Secret Key. This is exposed by any good 2FA app, but not by bad 2FA apps. The Secret Key must be backed up. A good 2FA app will backup everything easily with an encrypted password.
2. The author doesn't store or use backup codes for the app or site.
In short, the author is completely irresponsible, and then has the audacity to give bad advice.
Do you think that you could get Google, or Github, to turn off your 2FA login requirement if you really needed it? Like if you lost your codes? Or never saved them in the first place?
Well, GitHub, Google, and many others, allow you to bypass 2FA by using an alternate method. For example, GitHub will send a prompt to their app on your phone, if you’re trying to log in to the website. I believe Google can send a similar prompt to YT or GMail apps, although I don’t use Google anymore.
I understand you’re frustrated, and clearly, Uber not allowing you to create another account is the crux of the issue here. That and the fact you didn’t save your backup codes.
For what it’s worth, I use 2 yubikeys that are either used for webauthn or TOTP. In addition, I write down every single backup code (yes, manually) in a notebook. This is in addition to my passwords being in a password manager.
If I lose my primary yubikey, I still have a backup one. I just need to go recover it (which, granted, requires me to go back to $HOME_COUNTRY first). If I lose both yubikeys, I can still recover accounts with the backup codes. If I lose all three, then yes, I am fully aware I won’t recover the accounts. That’s exactly as I designed it.
The correct advice to retain from this event is: test your backups. Your backups are worthless if you never check their contents. You are absolutely right: if you lose the backup codes and then lose the 2FA access, you’re screwed. The only way around this is to verify whether you have the backup codes on a regular basis.
In general, if an account is associated with a phone number, then I expect to be able to use the phone number to restore access to the account. Uber looks to have failed you here.
As for my Google and GitHub accounts, if they're not associated with a phone number or recovery email address, I fully expect to lose access permanently if I were to lose the codes. In such a case, I take responsibility for it.
> to use the phone number to restore access to the account.
No. Phone number is not associated to a person for a life time. It can be "rented out" to someone else if stopped being used. However an "account" is (as has credit cards and such). So phone number cannot identify an account solely, without anything else in addition.
Yes. and I don't just think that's the case. I know it's the case, because I have had my phone get stolen, and been able to recover access to all accounts without using backup codes or having had multiple copies of the TOTP secrets.
"Blame" 2FA for your own mistakes just sends bad message. How do people who are capable of setting up 2FA (therefore not tech-illiterate) still don't use password manager? Imagine storing either the 2FA secret or the backup code in it.
2FA apps are a fundamentally broken auth mechanism. We just saw Microsoft's authenticator app inexplicably delete people's codes and lock them out of their accounts. And this is another example of how stupid the whole thing is.
TOTP on the other hand is completely fine. Encrypt your TOTP secret file just to keep it around, and enter the secret into your Firefox Browser (TOTP browser extension), and the android app "Secur". No third parties involved. Nothing to worry about if you lose your phone.
I ran into this issue when I accidentally cooked my phone while on a trip out of town. Google wouldn't reauthorize me to log in because the phone that got cooked was my second device.
... So I fixed the problem when I got home. I don't put myself in a situation where losing one device completely ruins my ability to move around the country. That's just unsafe.
It was, admittedly, inconvenient to not have easy access to everything my Google account locks against... But it's also convenient to not have to worry too much about hackers compromising my account if they manage to guess my password. I appreciate this level of security on something that I've routed way too many authentication keys through.
This is also why stuff like blockchain-based currency will never be realistic or accepted in the "real world". We need the ability to fix things out-of-band. Like you said, people make mistakes. Imagine that your bank or credit card just says Tough Luck!
Out-of-band fixes require trusting banks, but how trustable are banks really? Often the banks do say "tough luck". This is why you should never leave much balance in an active bank account in the US. Credit card issues are more fixable, but only in the US.
Regarding blockchain, it grants freedom in that you have the choice of trusting a third-party custodian, or doing self-custody. Having choices is good.
> So you've never had a credit card. Or any bank card at all where fraudulent usage is the liability if the bank, not you.
That's some inapplicable and incorrect nonsense you invented right there. If you need help with logical reasoning to go correctly from A to B, then GPT can guide you.
How do you think that credit cards work? I assume you have one. Or bank cards.
I steal your credit card and spend $80 to fill up my gas tank and then go buy a pair of sneakers, who do you think pays for that? It's not you. It's the credit card or bank company. And then they call and ask if it was fraud and you say "yeah, it was fraud. I was nowhere near a Foot Locker in Gary, Indiana."
So they "reverse" it and they absorb the loss. It's how the entire credit financial system works. I'll send you some books you should read.
