Two Factor Authentication (2FA) – gone wild

(Last Updated On: December 16, 2015)

I use two factor authentication on virtually anything that allows me to.  There is a good reason to do this – security.  You don’t want any personal information to be too easy to get to.  But this can also be a problem.  I don’t mean this in the way most people do, in that it can be an inconvenience.  Rather I have a very different problem.  It can be summed up in 2 sentences.  I had to get a new phone (new provider).  I did not have backup codes for all the 2FA sites.  There, I confessed.

Normally I’m pretty good about this, but for some reason this time around, I blundered.  So I had to go to the various sites and ask them to remove the two factor authentication in order to re-enable it on my new device.  This went smoothly for my banking institution, which was even more complicated than the rest of my accounts, my google accounts, Dropbox, TeamViewer, my password manager, Amazon, and more.  Recently I was attempting to help someone on Experts Exchange and needed to log into one of my older accounts.  The stuff on this account, If This Then That (IFTTT), was hardly worth protecting, but I had put 2FA on it anyway.  When I didn’t even remember the password – I clicked the forgot password link and it sent me an email to change my password – great!  But when I had done that, it then asked for my 6 digit 2 factor authentication code or one of my backup codes, and I didn’t have that.  I contacted the company and asked if they could turn off two factor authentication in order for me to re-enable it on my new device.  Their response was this:

“For account security reasons, we cannot reset or release Two Factor backup codes. As an alternative solution, we can release the username and email address associated with your IFTTT account. Note that this will delete all current Recipes and Channel connections. This action cannot be reversed.”

So, yes they will help me, but it will delete everything in my account.  That kind of help I don’t need.  I can just as easily start a new account with a different email address.  I have to ask myself (and them), why is their security policy so strict when even my bank was able to help me out.  IFTTT is a great little android and ios app, but unless you use the same password for your IFTTT login as for something important, like your bank (which you absolutely should never do), why have this type of security?

If I can manage it, I will change from using Google Authenticator and try Authy.  It is my understanding that Authy syncs to the web so you can recover your authentication codes.  Although I am not sure of this, since I have yet to use it.  More on this later.