Jack Wallen shows you how to retrieve your Google 2FA backup codes and how best to use them.
Two Factor Authentication (2FA) has taken a beating lately as being a less than ideal security measure. Part of the problem is that some 2FA codes are sent via SMS, which can be intercepted.
In some cases (such as many banking institutions), the 2FA system doesn't allow interaction with apps like Authy or the Google Authenticator. Instead, they insist on sending you 2FA codes via SMS. For the more security-minded, this isn't really an option. In fact, for some people even using the mobile apps isn't the greatest idea. Especially when you're dealing with an account associated with your business.
Fortunately, some services offer 2FA backup codes that can be used as an analog option. Google is one such service. When you set up 2FA for Google you are given the option to print out seven backup codes that can be used in the case of an emergency. Those codes work and, when you run out, you can always generate more.
You can already see where I'm going with this.
SEE: Password Management Policy (Tech Pro Research)
In some instances, I have Google set my browser as safe, so I don't have to enter a 2FA code every time I log in. It's only when I'm away from my office or setting up a new machine that I need a code. If I'm feeling rather paranoid, I'll use one of those 2FA emergency codes. When I run out, I generate more. It's that simple.
But how to do it? Simple. Let's find out.
How to retrieve those codes
If you didn't print out those codes, upon setting up 2FA, the first thing you'll need to do is retrieve them. To do that, you must log into your Google account, and then go to the Google 2FA site, where you'll be prompted to log in once again. Upon successful authentication, you'll see an entry for Backup codes. Click the SHOW CODES button (Figure A).
A pop-up will appear, listing your 2FA emergency codes. You can then download them (as a .txt file) or print them directly. The list will also show you only those codes you have not used (as the rest will be listed as ALREADY USED). Handy.
Word of caution
For those that opt to download the .txt file, I suggest you do so, and then encrypt that file. Don't leave it hanging around, unprotected, on your local drive for prying eyes to sneak a peek. Also, included in that file is your Gmail address associated with the account. I highly recommend you delete that line in the file (on the off-chance someone does stumble upon the file and manages to open it). The last thing you want is to make it easy for a bad actor to put two-and-two together and realize those codes are associated with that address. There is also a line that looks like this:
Need more? Visit https://g.co/2sv
I recommend deleting that line, as it could give away the secret to what those codes are for. Once you've deleted those lines, save and close the file. Encrypt it, and your codes are less likely to be seen by prying eyes.
How to generate new codes
Surprise! In that same pop-up, you'll see a button labeled GET NEW CODES (Figure B). Click that button and seven new codes will generate.
Here's a tip. Only use six of those codes, and consider the seventh your key to get more codes. This is especially true if you opt to not use a mobile app for Google 2FA. You don't want to find yourself without that one last key, so you can log in and generate more.
Not a perfect solution
2FA is not a perfect solution. But if you can avoid using sites and services that send 2FA codes via SMS (and if those sites in question would start supporting mobile 2FA apps), you'll be less likely to have your codes stolen and used against you. Even so, you might consider only using these Google codes for 2FA authentication. Use them wisely and understand, when it comes to security, nothing is ever 100%.
- Move Google Authenticator from one Android device to another (TechRepublic)
- Firefox Accounts gets 2FA security: You can use Google Authenticator one-time codes (ZDNet)
- How to set up two-factor authentication in Linux (TechRepublic)
- Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
- How to set up two-factor authentication on CentOS 7 (TechRepublic)
- How to get users on board with two-factor authentication (TechRepublic)