2 Factor Authentication – A cautionary tale
Password security for websites and logins is an ever growing issue that frustrates many and where rules are too rigid, often leads to the undesired effect of security levels reducing because passwords can't be remembered and are therefore written down or held insecurely.
For some time, 2 factor authentication has attempted to provide a further level of security by requiring a third element on top of the username/password combination. This extra data element is usually time sensitive and changes regularly, often only having a life of 30 seconds. Therefore it does not have to be remembered but generated each time it is needed through a secure app or device which is accessible only by the legitimate user.
For years I have relied on Google's authenticator app, it was there on my phone and always available. Over the years I amassed a large number of different logins which each relied on the app. It just worked and because it appeared to work so well, I continued to add more logins to it. Then I upgraded my phone!
The new iphone installed with all the old apps and data of the old phone, it seemed like an easy upgrade. After a few days I deleted all of the data on my old phone. What I hadn't counted on was using the authenticator app to login, I hadn't needed it and therefore not tried. The first time I did, the codes generated were not recognised. Eventually it became clear that the app is tied to the device and the upgrade had broken all security keys, whilst the app was now on the new device, it was using new keys and would therefore not work.
Further research discovered that you couldn't just export from the old app and import into the new (well at least now with the Google app I was using). So each website needed to be logged into again, this time going throught whatever steps were necessary to recreate the 2FA authentication step with the new app. This was the time I moved away from the Google app and now use something called Authy. The advantage is that the keys can be exported so next time the phone is upgraded, there is no need to go through the somewhat painful step of renewing the authentication for each individual site.