There’s an old quip about solutions causing more problems:
Some people, when confronted with a problem, think “I know, I’ll use regular expressions.” Now they have two problems.
The account compromise problem
Years ago, online service providers had a problem.
Too many user accounts had weak, easily guessed passwords and were being compromised.
To make matters worse, many people used the same password for dozens of different accounts. So by compromising one account, an attacker could compromise others.
Last year, firstname.lastname@example.org used Soccer2020! for email, Google, Twitter, Facebook, LinkedIn and his bank account. This year, his password is Soccer2021!
To solve this problem, many service providers began offering users two factor authentication (2FA) based on the Time Based One-time Password (TOTP) algorithm.
The TOTP algorithm takes a secret, and the current time, as input to generate a dynamic numeric code. These codes typically look something like this:
$ gpg -d twitter-totp-secret.txt.asc 2> /dev/null | goathgen
Google Authenticator is a popular TOTP implementation, but there are many others.
Here’s an example of what a TOTP secret looks like as a string. This one is base32 encoded, but some may be hex encoded:
Users may never see the TOTP secret represented as a string, but as a QR code that they scan into their phone’s authenticator app. Those look something like this:
No matter how it is displayed, the TOTP secret should only be known to the service provider and the user. It must also be protected. In this way, it’s similar to a password.
Now with TOTP based 2FA enabled, users must enter a password and a numeric code to access the account.
This makes user accounts more difficult to compromise because an attacker would have to correctly guess the user’s password and obtain the user’s TOTP secret in order to gain access to the account.
The new problems
While 2FA largely solves weak password account compromise, it also creates new problems (mostly for users).
- The management of TOTP secrets.
- The loss of TOTP secrets.
If the TOTP secret is unavailable, people may be permanently locked out of their account even if they know the password. This is by design.
Backup 2FA recovery codes compound the new problems. Those have to be managed as well, and can be lost too.
Which is worse… Having an account compromised or being permanently locked out of the account because you lost something?
In either case, you have to convince the service provider that you are indeed the rightful account holder. And, losing your TOTP secret, may make this impossible if you didn’t take precautions.
Proliferation of the new problems
Managing TOTP secrets and taking precautions against 2FA account lock-out is probably doable (for a few accounts). However, service provider adoption of 2FA is growing.
Email providers, domain registrars, social media sites, banks, online stores and forums now offer 2FA. Some even mandate it.
Currently, I have slightly more than 100 personal unique account passwords. I generate those passwords with DPG. I also have roughly 30 TOTP secrets with different service providers. I use goathgen or Google Authenticator to generate the codes.
How people manage
When service providers offer multiple 2FA methods some users enable them all. I highly recommend this approach to mitigate the risk of 2FA lock-out. Phone based 2FA methods are insecure and I do not use them, however, the average person needs to weigh that security risk against the potential for 2FA account lock-out and do what makes them most comfortable. Security is sort of like investing. You can play it safe or take more risks. Neither is right or wrong.
Use a password manager that also supports storing TOTP secrets and sync those with cloud accounts. If you do this, you have to be careful to not lose access to the synced account.
Keep encrypted copies of the TOTP secrets on multiple computers in geographically separate locations. You can PGP encrypt the TOTP secrets and store those in /home.
Print paper backup codes and store them in a safe place (at a bank or a friend’s house). Although this becomes more difficult as the number of accounts that require 2FA grows, and isn’t convenient when you need quick access.
Some people don’t take any precautions and may not realize that they could be locked out of their accounts if their phone (with the authenticator app that contains all of their TOTP secrets) is reset, broken, lost or stolen.
And, even users who are prepared may lose access to their backups, phone number and other 2FA methods. Life happens.
A potential solution
Online service providers could have more physical presence. Places where people could visit (in-person or virtually) to prove that they are who they say they are and recover their accounts.
When I was a teenager, my wallet was stolen. It contained my driver’s license and social security card. Two things I need to live life.
I was able to get replacements by visiting the Department of Motor Vehicles (DMV) and a regional Social Security Administration office.
There was a well-defined process, for me to follow, to recover these things. There ought to be a similar solution for all online accounts.
We’re already there
At local organizations, this solution is already in place. Banks, schools and employers typically have offices where people can go to get help with account access issues.
Some even offer Zoom sessions that allow remote users to get help. You can display a government issued ID card, and your face, to a webcam just as easily as you can in-person.
Large online service providers could partner with retailers, phone companies, and government agencies, to offer users a similar recovery service for a nominal fee.
If that happens, the risk of permanent account lock-out, due to broken phones and lost TOTP secrets, would not be the problem that it is today.