Hacker News new | past | comments | ask | show | jobs | submit login

The other day I forgot my Github password. When I went to go through the password reset process, it must have triggered the 2FA because it asked for my code. I use Google Authenticator, but I had switched to a new phone since the last time I used GA with Github, and never scanned the code on the new phone.

So now I'm at an impasse. How do I get the code? Well, Github has a backup -- it will SMS the code to your phone! When it said this I just kind of chuckled to myself as I also had seen the h3h3 video. Sure enough, it texted me the GA code and I got back in control of my account.

Github actually provides a list of emergency codes that you can print out and use as a last resort. I had printed these before and actually had them available, but forgot about that process.

Github is trying so hard to have your account secure, but yet the SIM card cloning threat is still there.




Hint: don't just scan the QR codes on one device, switch to the "type in the TFA secret" mode, and store that in your password safe (this makes it easier to add the key to all your devices too - I have thew Google Auth app in two phones and an iPad. I'd advise against doing that without at least considering something better than a 4 digit pin unlock for your devices).


Hint: don't just scan the QR codes on one device, switch to the "type in the TFA secret" mode, and store that in your password safe

I just don't use an authenticator app at all. Some password managers (e.g. 1Password) have support for storing TOTP. So, as long as I can access my 1Password vault (use a strong password!), I can access my TOTP codes.

Besides that, I prefer U2F, which is supported by GitHub.


> switch to the "type in the TFA secret" mode, and store that in your password safe

Oh that's a great idea! Never thought of that, thanks for sharing.


I had the new phone Google Authenticator lost data problem too. I use Authy now. It is attached to your email and phone number so you can login when you get a new phone


There was an update to the GA app a year or two back that screwed up the saved data and lost a lot of people access to their stuff... Google's answer was "Sorry, our bad. We'll have a new version of the app out that doesn't do this in a few weeks or whenever we get around to it, but all your lost stuff is gone. Soz..."

Protip: Don't allow your TFA app/hardware to be a single point of failure. Don't upgrade your reserve TFA device/apps until you're 100% sure the upgrade on your primary TFA device/app has worked smoothly.


I don't understand the downvotes.

Anyway, I have one time codes for all accounts I use 2FA with. Google generates these one time codes as TOTP substitutes, LastPass generates them as a one time master password that's TOTP exempt. Amazon you have to send an email and they'll call to verify and then unset 2FA on the account.


Criticise the mighty Google, and you'll be forced to pay dearly with meaningless internet points ;-)

(It's a little telling that none of the downvoters attempted to refute any of the facts…)


Authy stores your TOTP accounts, so you can sync up using a new device.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: