A normal login, with a username and password, requires two pieces of information, but they are inherently the same type - "something you know". MFA (Multi-Factor Authentication) adds other types - e.g. "something you have" or "something you are".
2FA is a very common subset of MFA, usually adding a piece of "something you have" in the form of your smartphone. The phone itself is not usually the factor, but rather its SIM card (if the second factor is a temporary PIN sent via SMS), or an authenticator app that is permitted to generate a temporary secondary password (usually using TOTP - "Time-based One-Time Password").
In contract with a password, which you can often reset via a temporary emailed link if you forget it, in a lot of systems there is no "forgot my 2FA" type of mechanism. So, what if your 2FA is a smartphone app, and you lose your phone, or get mugged, or it just breaks?
There are still options available, but the best options are those that you need to prepare before anything like this can happen. Such as:
Saving backup codes
Unlike the main
secret, these cannot be used directly to add the same token to a new phone / authenticator app. Instead, these are more analogous to the "I forgot my password" recovery flows, where you will have to go to the individual platform (e.g Google), and follow the specific flow for that platform, which usually requires logging in with user & pass, then clicking a menu option to use backup code instead of 2FA TOTP.
- Usually these are issued when you setup MFA for the first time, and you might be given a large set (e.g. 10 codes). Usually each one is limited to one use, and then it becomes invalid.
- Although exposing these is not quite as dangerous as exposing the token secret or QR code (see below), it is very close; treat these the same as passwords and carefully store (ideally in an encrypted password manager), and/or print and secure
The benefit to these over just storing the QR code and/or token secret is multi-fold:
- They are usually one-use-only, whereas a token secret could be exploited indefinitely to generate new tokens
- They usually trigger some sort of warning and/or additional challenge-and-response when used, so if someone uses one to get access to your account, you will likely get notified about it, whereas if your token secret was exposed and used, you probably wouldn't
Saving the QR code
If a service gives you a QR code to use to save the token to an MFA manager app, that QR code can actually be used forever, unless you trigger a reset by requesting a new code. This is because the QR code must contain the token secret, because it is used to generate the temporary passcodes.
- You could save the QR code (or URI) in an encrypted format, and/or physically print out and store in a secure location
- This is also not a bad way to have a "if I suddenly die" type backup for family members
QR codes might also contain additional data, such as:
label: Plain text string, which is usually shown to user in manager app.
issuer: Plaint text string, indicating who issued the secret
- ... and a few other attributes
- Remember - just because it is an image instead of readable text does not make it encrypted; do not be mistaken - the QR code contains your secret in plain text, so treat it the same as the secret itself, in terms of keeping it secure
Saving the token secret
- Storing the token secret, in any form, should only be done with considerable thought to purpose and security, and generally only as a last resort. If you are careless with your token secret, it kind of defeats the purpose of MFA.
- Should never be stored in plain text, unless perhaps if physically printed out and stored in a secure location
- In comparison with backup codes, this is a way more dangerous option, because using a backup code usually triggers a secondary check and/or notification, whereas if your secret is compromised, someone could be using it for weeks without your knowledge.
Another option, although it also introduces another attack vector (if it can be used standalone for entry), is to simply add more "factors" to your account. For example, if an account supports logging in with user+pass and either a TOTP or physical U2F key, then you could use the physical U2F key as your backup, and have the TOTP as the primary, or vice-versa.
Some sites will even let you associate more than one of the same type of factor for the same account. For example, Google allows for more than one U2F key to be registered with the same Google account - and even recommends this as a backup plan.
Some MFA managers offer the ability to backup and/or sync 2FA/MFA tokens across devices. This is great, because it makes it easier to recover from something like losing access to your phone, but it raises the question of "how is it secure?"
Using Authy's popular backup and sync feature as an example, the way it is usually done is that the tokens are encrypted with an additional password that you create, and only the encrypted blob of tokens (plus a salt, if used with password) is uploaded / synced. Things that are never synced are:
- The raw un-encrypted 2FA tokens
- Your special "backup" password, used to encrypt tokens for this sync feature (***)
** = Some MFA managers actually *do sync the "backup" password (in a hashed form of course), which one could argue decreases the security of the system. For example, the backup feature of Microsoft's Authenticator App very clearly uses your Microsoft Account itself as the backup password - so if that became compromised, someone could sync and decrypt/restore your backup on their own device, getting access to tokens.
Some MFA managers might also sync the entire QR code that was used to add each token, or a partial subset of it.
If you are especially paranoid, but still want to use this feature, you might want to add the codes you want to sync manually, instead of via QR, as if the service syncs the QR data, it might contain your email address that corresponds with the data (see Authy Backup FAQ).
The main benefit to using a service that lets you sync / migrate / backup 2FA/MFA tokens is really felt if you have a lot of them; it lets you migrate them in bulk.
Most uses of MFA already have a system in place to allow for tokens to be re-issued, or in the case of a lockout, using "backup codes" to recover an account. However, these have to be used on a per account basis - if you have just three accounts you use MFA with, that might still take 20 minutes of work to migrate to a new phone; logging into each account, issuing new tokens to use with the new phone, or in the case of a lockout, finding and using your backup codes (that might have been issued years ago at this point).
🚨 👉 All this being said, it is 1000% important that you still keep all your per-account backup codes safe, and don't rely on a third-party sync service to save you in case of trouble!!!