topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • August 22, 2019, 05:44 PM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Fun and Games with 2fa Lockout Problem  (Read 626 times)

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,516
    • View Profile
    • Donate to Member
Fun and Games with 2fa Lockout Problem
« on: July 17, 2019, 12:58 PM »
Okay, so here is the deal The owner had setup the Authy 2fa app on there phone to access their account at (for simplicity sake, let's call it) a banking site.

And then they lost their phone...

So... now, after reinstalling the Authy app on their new phone. They cannot add the site to the authy app - to get access to the site - without scanning a QR code from the site, that is apparently only on the site, that they cannot access... Did you just think of a word that rhymes with firetruck??? I did.

Which for me...begs the question: Is this kind of idiotic catch 22 level circle jerk "normal" for these (security theater fad) 2fa authentication schemes?!?

And is there any - hopefully simple - way of reuniting this poor sole with their funds?



Also (to prevent this from sounding too easy): in the long version of this story, this is not a conventional banking institution that has a brick-and-mortar storefront that someone can enter while brandishing a drivers license in front of an actual human to resolve the issue. Oh hell no...it just can't be that easy...no, this is Crypto stuff.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,221
    • View Profile
    • Donate to Member
Re: Fun and Games with 2fa Lockout Problem
« Reply #1 on: July 17, 2019, 01:45 PM »
My experience:
1) ebay: Contact via the hard-to-find contact point for defunct hardware 2FA keys, (thing lasted about 10 years).  Result: They removed 2FA without even verifying I was the owner of the account.
2) CoinJar (Crypto): Wanted to disable 2FA by removing authorised devices in their app because I had changed phones and forgot to backup their app data before doing a factory reset.  Result: Had to contact them via email and get them to remove defunct phones from my account so I could add valid ones, (couldn't log into the account via web until I did), they wanted to know all contact details, etc, etc - plus since in Australia they require Drivers Licence, Passport, or something similar before you could trade I could also give them that info.
3) Namecheap: Wanted to disable the 2FA that originally used their own app, (I'd swapped phone and the 'fingerprint' had changed), so I could use Authenticator instead.  Result: They wanted to know everything: contact details, what the last transaction was and what means/card was used to pay for it, etc, etc ... then they removed 2FA.

All-in-all, just use their contact info and see how far you get, if you can provide details of the account with maybe a transaction or two ... you may get lucky.

FWIW, besides Authenticator, the 2FA tokens are now also added to KeePass, (by way of the Tray TOTP plugin), which gives me multiple redundancies, (synced across all computers/laptops/Androids), and covers all the usual 6 character 2FA plus PayPal 2FA and Steam 2FA.

The Authenticator dBase is also backed up, (requires root though).

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,792
    • View Profile
    • Donate to Member
Re: Fun and Games with 2fa Lockout Problem
« Reply #2 on: July 17, 2019, 04:25 PM »
Virtually every 2FA I've ever set up either gave me a bunch of one-time-use recovery codes and instructed me to back them up, or has some other means of recovering the account if the 2FA method is inaccessible.

That said, and ironically enough, (actual) banking sites often have some of the stupidest and insecure "security practices" I've seen.

However, in cryptocurrency-related fields there is much more responsibility placed upon each person to ensure the safety of their own funds. So the "banking site" you're referring to may be of the opinion that it's not their problem.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,516
    • View Profile
    • Donate to Member
Re: Fun and Games with 2fa Lockout Problem
« Reply #3 on: July 18, 2019, 06:47 AM »
Thanks guys. The owner is a classic end user (I'm being nice, and leaving off the 'L'), and did not bother with making a backup of the recovery code. But they did manage to get back into the account by contacting the site (CoinBase) directly.

So... Crisis averted. ...I can only hope that they make a backup of the recovery codes this time.

Or not... *Shrug*  :D

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,146
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Fun and Games with 2fa Lockout Problem
« Reply #4 on: July 18, 2019, 01:10 PM »
So... now, after reinstalling the Authy app on their new phone. They cannot add the site to the authy app - to get access to the site - without scanning a QR code from the site, that is apparently only on the site, that they cannot access... Did you just think of a word that rhymes with firetruck??? I did.
Erm... I don't know how Authy works, but that sounds pretty normal for TOTP-style 2FA. You need your phone/whatever authenticator to give you a time-based key in order to access the site. If you lose that (and recovery codes, which you've hopefully stored somewhere safe), you're f*cked, as well as you should be. "Scanning the QR code" would be adding a *new* phone, with a new seed for the time-based transform.

Which for me...begs the question: Is this kind of idiotic catch 22 level circle jerk "normal" for these (security theater fad) 2fa authentication schemes?!?
TOTP-based 2FA is probably one of the best things you can do security-wise today (that still isn't too much hassle) - it's definitely not security theatre.

Unless it's done wrong by the site, and you can just call and social-engineer them, of course.
- carpe noctem