Using SMS for multi-factor authentication is helpful, but not always secure or reliable. What if you lose your phone? Tom Merritt lists five additional ways to receive MFA codes, without SMS.
Someone wrote in, after seeing my Top 5 about avoiding using SMS for multi-factor authentication, and asked, "Do you have any suggestions on how to protect myself from getting locked out of my accounts if my phone disappears or dies?" Great question.
One advantage of SMS multi-factor authentication (MFA) is that when you get your phone number on a new phone all the factors will get texted to you there. That's also how people can steal your second factor. Which is one reason you might not want to use SMS. What if you're not using SMS and you lose your phone? Here are five ways to protect MFA codes if you lose your phone, without resorting to SMS.
SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic)
- Use a hardware key. A key, like an RSA key or YubiKey, is independent of your phone and is the most secure way to use MFA. Granted, you need to make sure you don't lose the key too. Also, not all accounts support it.
- Write down or print the backup codes. Almost all MFA systems issue you backup codes you can use in an emergency. Print them or write them down and keep them in a secure place. It's tedious, but it will get you back into your accounts.
- Set email as a backup. A lot of MFA systems can use email to send the second factor. If you're locked out of your email, this won't help much, but most of us are securely logged in to email on many more devices than our phone.
- Replicate your authentication codes on a second device. Whether it's a second phone or a tablet, you can scan the same QR code you used to set up the app on your phone to set it up on an additional device. Some apps even let you easily export your codes for transfer.
- Even easier, use an authenticator app that provides a backup system. Authy, for instance, can synchronize your MFA tokens between multiple devices, including a computer. This makes it easy to have multiple devices to cover you in case you lose one. All of your authentication tokens are encrypted locally, so neither Authy nor anyone else can see them during the sync.
Hopefully, you don't lose your phone, but if you do, these preventative measures may save you from that long account recovery phone call.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Tom Merritt's Top 5 series (TechRepublic on Flipboard)