
New and improved two-factor lockout recovery process - moby
https://githubengineering.com/recover-accounts-elsewhere/
======
DennisP
Instead of relying on Facebook, I'd rather just keep a backup U2F device in my
safe deposit box. (Especially since I also have 2FA on my Facebook account, so
for safety I'd need a second device anyway.)

~~~
ndm
Yep, that's definitely a great solution. Unfortunately, that is not practical
for the vast majority of people.

~~~
DennisP
I realize not many people will bother, but it doesn't seem _that_ impractical.
A small safe deposit box costs about $20 per year, and a U2F-only Yubikey
costs $18: [https://www.yubico.com/products/yubikey-
hardware/fido-u2f-se...](https://www.yubico.com/products/yubikey-
hardware/fido-u2f-security-key/)

Many sites don't support U2F yet, but that's improving. An alternative for
Google Authenticator sites is a set of one-time codes, which can also be
stored in the safe deposit box.

I don't exactly see the point of using another site as backup, since you'll
want 2FA on that site as well.

~~~
ndm
Expecting everyone to jump through the hurdles you describe is why we're in
this terrible state we are in today. It's just not practical, affordable, or
even possible for many.

$38 is a lot of money to a lot of people. Some people just simply don't have a
safe storage space either.

~~~
DennisP
To some, but I wouldn't have called $38 a lot of money even when I made
$8/hour. Note, however, that my approach doesn't require spending that $38,
since stored backup codes with Authenticator are also a workable solution.
Anyone in the U.S. who owns a smartphone or computer with internet access
isn't likely to be so poverty-stricken that they can't easily afford $20/year.
Storing copies in a couple less-secure places is another option.

In any case I'm not seeing how outsourcing the backup token to another site is
much of an improvement compared to not having 2FA at all. In this case,
either:

\- You set up 2FA with Facebook as well, in which case you're still locked out
if you lose the device, or...

\- You don't set up 2FA with Facebook, and that allows someone to bypass the
2FA on Google by just guessing your passwords.

So this seems to me a very marginal benefit over just skipping 2FA in the
first place. If you're not willing or able to deal with real 2FA, then why
pretend? Just set up a free password manager and leave it at that.

~~~
ndm
You seem to be failing to acknowledge your privilege to live in the US and
earn $8 an hour. There are people who live outside of the US and earn far
less. Also, delivering a yubikey might be actually impossible.

> \- You set up 2FA with Facebook as well, in which case you're still locked
> out if you lose the device, or...

Not necessarily. What if one was totp and one was sms? What if you forgot to
setup one but not the other? Also, 2FA on Facebook is not required to use this
feature. I have been in this situation before.

> \- You don't set up 2FA with Facebook, and that allows someone to bypass the
> 2FA on Google by just guessing your passwords.

This is based on partial information, which I admit has not been well
publicized. Facebook implements a time-based lockout after a password is
recovered allowing a user to notice activity. It will also issue a "step up
challenge" for risky users. Must be known device, known location, etc. or
another factor is required to initiate recovery. Those with 2FA will answer a
2FA challenge, those without will fall back to other means or simply not be
able to initiate a recovery.

> So this seems to me a very marginal benefit over just skipping 2FA in the
> first place. If you're not willing or able to deal with real 2FA, then why
> pretend? Just set up a free password manager and leave it at that.

Password manager adoption amongst the world is still terrible. This is an
option that anyone can use without any additional tools or tricks.

~~~
DennisP
If you want to limit your security to what's achievable by destitute third-
worlders, fine, I'm just saying it's not my choice.

