21 votes

What to do if I've lost my 2FA?

My phone abruptly died, and it turns out I did not back up my 2FA codes. I have 2FA turned on for Tildes, and while I am still logged in, I can't turn off 2FA without 2FA, so if I ever have to log in again I'm screwed. I didn't save backup codes, of course, because I'm a fool (and I never figured out a good/safe way to store backup codes somewhere different than my password manager). What should I do?

I went into "Set up account recovery" in my personal settings, and I entered in my email address there. It says that if I can send and receive email from that address, I will be able to reset my password. But I already have a working password, what I don't have is working 2FA. Would a password reset do anything useful in my situation?

If there is nothing anyone can do at this point, how should I use my remaining time on this doomed Tildes account?

UPDATE: Admin turned off 2FA for me, so this account is no longer doomed. Thank you!

7 comments

  1. [6]
    Steinawitz
    Link
    The contact link at the bottom of the page has some helpful resources. I would email password@tildes.net and explain your issue. They can hopefully disable your MFA on your account so you can...

    The contact link at the bottom of the page has some helpful resources. I would email password@tildes.net and explain your issue. They can hopefully disable your MFA on your account so you can reenable again with a new authenticator.

    Make sure your new authenticator is being backed up somewhere. I have iOS and personally use SAAS Pass and one of the reasons I like it is that it backs up to iCloud.

    For your backup codes going forward, you can now see how important those can be. I save my codes to a Dropbox folder where they stay until needed. If you don't want to manage the codes through a file system, an easy way to capture them quickly is to take a screenshot and either save the screenshot to a picture folder on your phone (as long as your photos are backed up automatically) or email the screenshot to yourself and then store them in an email folder.

    There is risk if you email them to yourself that if someone does gain access to your email that they will have the ability to access more of your accounts so if you do email codes to yourself, make sure that your email is fully locked down with MFA. I would also store your email backup codes somewhere else so that in the event your lose an authenticator again, you can still gain access back into your email.

    Hope you get it worked out!

    12 votes
    1. [5]
      skyfaller
      Link Parent
      Thank you for the suggestion, I emailed password@tildes.net. I think in the future I will put backup codes in a safe or something, but I'm reminded of the discussion at...

      Thank you for the suggestion, I emailed password@tildes.net.

      I think in the future I will put backup codes in a safe or something, but I'm reminded of the discussion at https://tildes.net/~tech/11s8/ive_locked_myself_out_of_my_digital_life ... anything secure risks locking you out of your life, and what's the point of security measures that aren't secure?

      7 votes
      1. em-dash
        Link Parent
        There is no line labeled "everything better than this is secure, everything worse is insecure". Everything is insecure if you try hard enough to break it. Security is about making that threshold...

        what's the point of security measures that aren't secure?

        There is no line labeled "everything better than this is secure, everything worse is insecure". Everything is insecure if you try hard enough to break it. Security is about making that threshold really high, and that has to be balanced with convenience.

        The least secure thing possible is that you get a nice convenient dropdown with all the registered usernames. When you select one, it just believes you with no proof needed. This is abusable in obvious ways, and if you manage to forget your username, you're still locked out.

        The most secure thing possible is that Tildes just doesn't allow anyone to log in anymore. You can make a new post by showing up at Deimos's home with 8 forms of government-issued ID and dictating the text to him as he types it into a console. You can still break this with sufficiently advanced forgery, or by breaking into the server itself.

        Passwords and 2FA are points on that spectrum, and for a lot of things, passwords (with the usual "don't do dumb things with your passwords" guidelines) are good enough that the account never gets broken into in practice. There's still a risk of getting locked out, if you lose both your password and whatever you need to reset it. 2FA is a step further, but it's not perfectly secure either. It's just Secure Enough in more cases than passwords are.

        15 votes
      2. [3]
        Mnmalst
        Link Parent
        I suggest https://getaegis.app/ for the future. 2FA app that allows you to backup/export accounts, so you can easily import them on an other phone.

        I suggest https://getaegis.app/ for the future. 2FA app that allows you to backup/export accounts, so you can easily import them on an other phone.

        5 votes
        1. [2]
          skyfaller
          Link Parent
          I actually was using Aegis Authenticator, and I would have sworn I had backed up my accounts. I think what must have happened was I backed up my accounts to my laptop, because I remember doing...

          I actually was using Aegis Authenticator, and I would have sworn I had backed up my accounts. I think what must have happened was I backed up my accounts to my laptop, because I remember doing that, and then for some reason I decided this was not sufficiently secure, and deleted the backup.

          1 vote
          1. Mnmalst
            Link Parent
            That's unfortunate. :( At least now you know how to do it better in the future. A backup is only valid if the restore process is also tested and verified, not just making the backup itself....

            That's unfortunate. :( At least now you know how to do it better in the future. A backup is only valid if the restore process is also tested and verified, not just making the backup itself.

            Personally I use syncthing to mirror my auto generated backups to my PC so they don't get lost.

            1 vote
  2. goose
    Link
    Speaking entirely unofficially, as I am not Tildes staff/moderator/etc. But the way MFA is typically set up, it will be generally impossible to authenticate to a new session without it. That said,...

    Speaking entirely unofficially, as I am not Tildes staff/moderator/etc. But the way MFA is typically set up, it will be generally impossible to authenticate to a new session without it. That said, if you are already authenticated elsewhere, you may be able to get in to your account settings and disable MFA/re-enable MFA there. I'm not sure if it will ask for your MFA code to disable MFA.

    For what it's worth, there's a fair amount of "global"/"cloud" MFA applications that may help you avoid this in the future. I run all my MFA through my self hosted VaultWarden. On the one hand, that means my MFA codes are in the same place my passwords are, so if my password vault is exploited/opened, someone has access to both my passwords and my MFA codes. On the other hand, I see my personal risk for that situation as being very low, and it's very convenient to have my MFA available on all my devices. Just food for thought!

    // Edit: MFA is required to disable MFA, and/or to reset backup codes, so that's out. Perhaps someone from Tildes staff can come along and verify you another way. Best of luck!

    7 votes