How Screwed Will I Be If I Lose/ Break My Phone?
November 28, 2022 5:46 AM   Subscribe

I used to live and work in the US. I have a company phone with Google and Microsoft authenticator apps installed, and I use my fingerprint to log in to Outlook and my banking apps. I now live in another country, use the same phone - unlocked, with a different SIM - and work as a contractor for the same US company (i.e. I left and got hired back). Now that I no longer have a US phone number, what will happen if I need a new phone - will I still be able to login to those apps? More details inside.

The phone is a Pixel 5, which I log into using my personal Google account.
My company uses the Microsoft Office suite, and I use the Outlook app + fingerprint to access work email.
Occasionally I will also be asked by my work account to use the Microsoft authenticator app - which requires my fingerprint - to log in to email and other Office apps.
I have 4 US banks and have an app for each, and they all require my fingerprint to log in.
I also have a retirement fund which uses the Google authenticator app to generate a code to log in.
(The primary phone number for all these banking accounts is now a Google Voice number.)
The Google authenticator app also generates a code for my Google account, although I don't remember being required to enter that anywhere.

So: if I lose/ break my phone, am I hosed (I'm guessing my authentication is tied to the phone and the US number I no longer have), such that I should really get a 2nd phone for daily use and keep my Pixel at home and out of harms way?
posted by my log does not judge to Technology (8 answers total)
Well, how "hosed" are you if you miss a day of work?

If you lost your phone, you could presumably buy another phone and log in with your authenticator app. Your company's IT department could help you problem solve or answer questions about the worst case scenario.

But, people work remotely in other countries all the time. I think usually the company just overnights a new phone if this happens.
posted by bbqturtle at 6:05 AM on November 28, 2022

If you transfer your account to a new Pixel, it will bring over your Google Authenticator automatically and possibly your fingerprint data (I think I had to redo it for my bank app). You can also do this from inside the app via qr code, but you need to have access to the old phone so this would only help if it's half broken (like mine was). Otherwise you would have to reauthenticate things on the new phone with new info from IT and your banks/etc, which will be a pain
posted by JZig at 6:11 AM on November 28, 2022 [1 favorite]

This may be old advice now, but a couple of years ago I dunked my Motorola phone in a lake with my Google Authenticator on it and there was no way to get my Google Authenticator sync working on my new phone that I could find. I ended up having to recreate my 2FA for all the accounts that had it; this often meant I had to call up the bank or whatever, verify my identity, and have them remove 2FA so I could re-instate it with my new device. In some cases, rather than a phone call, it was a multi-day back-and-forth with tech support for the service to get 2FA disabled so I could re-enable it with the new device.

When I did this, I switched over to using Authy for all accounts; it has a desktop client and also easily transfers/syncs to new/multiple devices. I've found that even if an account's 2FA setup only uses the term "google authenticator," Authy always works. And then it doesn't matter if I'm on my laptop, my desktop, or my phone, because I've got Authy on all of them.
posted by msbrauer at 6:20 AM on November 28, 2022 [5 favorites]

I'm guessing my authentication is tied to the phone and the US number I no longer have

I think you should definitely not have anything tied to a number you no longer have.

It's hard to answer the actual question because companies keep changing their authentication practices. Not the same thing, but lately google has been making me do authentication rounds when I log in, even with devices and browsers and IP addresses I've previously used, which was recently a problem when I was abroad; not having a roaming text plan, I couldn't receive the SMS 2FA codes they were sending. Another time I couldn't receive texts but could receive incoming phone calls, but the "call my phone" alternative was suddenly not available. And I'd always been able to authenticate via a linked gmail account, but suddenly that was no longer sufficient, so I was screwed.

So aside from anything else, don't leave an old number as your contact information, because you never know when some company will insist on using that and only that, or on using all your listed verification options, or whatever new set of hoops they come up with.
posted by trig at 6:31 AM on November 28, 2022 [1 favorite]

The first thing you do is transfer your US phone # to Google Voice.

Ok, get a Google Voice account. Assuming you're American or at the least have friends or family in the US, set up a Google Voice #. I've successfully utilized mine for all types of authentication and the ones that didn't usually allow email verification as an alternative.

As I communicate with the US regularly, I've gone one step further and now have a Google Fi # in addition. The lowest tier is ~$20 a month and offers substantially better reception for communication if that's a thing you need/want. But it also works flawlessly with all authentication apps. Google Fi will require that the SIM card be activated within the US first, but that's where the friend/family member comes in. They can mail it to you after activation.

As a bonus, both Voice and Fi work without a sim card or even a phone.
posted by wile e at 6:50 AM on November 28, 2022

Not directly related to changing phones, but if you haven't already, be sure to set up some Google Backup Codes and store them someplace where you can get to them. This will let you into your account if your phone is lost/destroyed. For example, I store mine in a separate cloud drive that doesn't have 2FA enabled in an encrypted format that I can decode online via various websites.

Well, how "hosed" are you if you miss a day of work?

Work 2FA systems should allow the company set set a static PIN for one time use in cases like this, though whether the individual company allows for it is another matter.
posted by Candleman at 9:14 AM on November 28, 2022 [1 favorite]

Best answer: On just about any site with two factor authentication (2FA) there should be an interface that provides you with single-use backup codes you can use to get into your account should you lose access to the device you use for 2FA. While you have access to everything, you should be downloading all those backup codes and storing them somewhere (perhaps in both password protected text files on a desktop computer and in paper hard copies somewhere safe). If you lose access to the device you use for 2FA you can use one code for each site to log in and set up a new device for 2FA. This is often faster and easier than doing the automated "I lost my device" function available on many sites.

If you don't have backup codes then you will have to go through the "I lost my device" process with each one of those accounts. Some of them (like banks) will probably do the same sort of authentication they did when you opened or connected your online accounts in the first place, where you answer questions about old addresses, cars, people you've lived with, etc. Note that if the data about you is faulty then you may have trouble with this authentication. In my case somebody who last lived at my address more than 14 years ago keeps getting reconnected with it in credit reporting data (I have no idea if this is because of fraud or just something badly configured somewhere) so I periodically get ID questions about a person I've never met. It's fun! (It is not fun). For non-financial accounts you may need to get on the phone or jump through different hoops to verify your identity (like, emails to recovery addresses you may also be locked out of, paper letters to registered physical addresses, and so on). You really should be saving backup codes for every account, is what I'm saying.

You may also want to look into cloud-based 2FA systems. Apple's iCloud Keychain (for example) will sync your 2FA across any device you have logged in. That won't help you on Android, but I believe 1Password does this too. I don't know if Microsoft Authenticator syncs using a Microsoft 365 cloud account in the same way, but that should be something you can find out using Google (and in this case Bing may even give you better results).

You can also back up your 2FA configuration if you have a second phone. Google Authenticator puts this under the "Export accounts" feature. You can select one or more accounts, export them (which displays a QR code you scan on another device), and then just … not remove them from your primary device after adding them to your backup device. My wife and I share a Gmail address for bank statements, utility bills, and a few other common things, and I did just this so we both have 2FA access from our own phones.

Lastly, you may want to look into FIDO keys like Yubikey so your second factor isn't your phone. You may not be able to use a FIDO key for every account, but you could use it for a Gmail account that is your second factor for other accounts. This would provide an additional layer of protection even for accounts you can't use the FIDO key for directly, and would spread your risk across multiple physical objects.
posted by fedward at 9:31 AM on November 28, 2022 [3 favorites]

I switched over to using Authy for all accounts; it has a desktop client and also easily transfers/syncs to new/multiple devices.

I use KeePassXC's inbuilt TOTP support for the same reason. Like Authy, it supports any RFC6238 authentication scheme for which the end user has access to the secret during setup, and with a bit of extra hoop-jumping it can also be set up to support Symantec VIP which keeps its secrets inside Symantec's own servers.

The convenience of not needing to go find my phone just to be able to log into something from the desktop, and not even needing to open anything other than the password manager I'd have open anyway, has often proved both useful and pleasing.

Using the same software to store both passwords and 2FA secrets obviously defeats the purpose of 2FA, but it seems to me that most of what 2FA is actually being used for in 2022 is to mitigate the widespread filthy habit of re-using weak passwords across multiple online services.
Consistent use of password management software makes long, random, machine-generated, unique passwords every bit as convenient as weak ones, and for me the resulting security level has now been more than adequate for twenty years. And the fact that everything I need to log into anything lives inside a single encrypted file that I get to choose where to store and where to replicate and how to back up, and which I will therefore always retain access to regardless of unpredictable corporate whim, is a great comfort.
posted by flabdablet at 10:12 PM on November 28, 2022

« Older Recommend some books on focus, concentration and...   |   Which sync agents frequently work with the... Newer »

You are not logged in, either login or create an account to post comments