What Is 2FA / MFA?
2FA stands for two factor authentication, and MFA stands for multi-factor authentication.
Often these terms are used interchangeably but they do not mean the same thing. 2FA is basically “two factors” (to authenticate yourself to something or someone) and MFA is basically “multiple factors” (again, to authenticate yourself), so you can think about 2FA as a subset of MFA. For the purposes of this article, we’ll use the term 2FA for simplicity, though in some cases what you may be using is MFA.
Why would anyone use 2FA? For security. If you login to Facebook or LinkedIn daily, and regularly do so from public or work computers, it is possible that sooner or later your will use a compromised machine and your login name and username can be captured.
Even if you just your own PC, if you get some form of virus, malware, rootkit or similar, your login details may be compromised. Still worse are data leaks – and we all know (or should know) these happen regularly, even for major companies.
So how can you protect your login with an additional step that hackers are unable to make on your behalf? The answer is 2FA. Simply go to the settings of your favorite website (Facebook, LinkedIn, Google, …) and activate 2FA authentication.
You can install, for example, Google Authenticator (A 2-Step Verification program) from your favorite app store, and it will allow you to scan a 2FA QR code generated by the website with the camera of your phone. Once you do this, Google Authenticator will perpetually show short-lived 2FA verification codes which you have to enter after logging in to the website you setup 2FA for.
Thus, the next time you login to your favorite website, you will have to enter your username, password and a 2FA verification code generated by Google Authenticator.
One often has to be quick, or wait for a few seconds for a new verification code to be created by Google Authenticator, before you can copy the number from your phone to your computer (almost always manually), or from Google Authenticator to another application you are using on your mobile phone.
As a side note, please remember that Google has a slightly different way of doing 2-Step verification these days. If you use an Android phone, you will get a ‘Did you just login?’ popup when you login to a Google based account. It will save you some confusing when setting up 2FA for Google. They still allow 2FA codes, but expect to get the popup instead.
Help, My Phone Broke!
It happens. You sat down in your car only to realize 2 microseconds too late that your phone was in the back of your pocket. And maybe trying out if the phone really did pass the drive-over test wasn’t such a great idea after all…
But what to do if the precious 2FA codes, now required for login to your favorite websites, and only accessible from your phone, are now inaccessible?
The options in this case become very limited, very quickly.
You may be able to contact the helpdesk of the website in question and prove your identity some other way, but this is cumbersome and painful.
You may have also been smart enough to save ten 2FA backup codes on the website at the time when you created your 2FA setup (this option is offered by most websites when you activate 2FA and should, IMHO, always be taken advantage of). Let’s just hope they were not stored on your phone ;)
Please also note that many 2FA enabled websites allow you to recreate such backup codes (usually a set of ten) at any time. So if you have a used a few of the backup codes, it’s perhaps time to generate an new set (which will invalidates the previous set of codes!).
Still, isn’t there another much-safer way to ensure that 2FA codes cannot be lost? There is.
Print that QR!
All you have to do, “the trick”, is to print the QR code!
You can right-click the QR image (before you scan it with Google Authenticator or your favorite 2FA code generator app) and click ‘Copy Image’, then open your favorite image editing tool and right-click in the workspace and select Paste (or select the same from the Edit > Paste menu), and then print the same. Or, you can simply print the whole page from the website you’re on.
You can even copy/paste and/or print the list of ten backup codes from the website onto the page you are printing. If you copy/paste the image make sure to make some sort of descriptive note on the paper to help you remember what the QR code is for (a 2FA code is simply a QR code specifically made for scanning from 2FA applications), though the 2FA app will also read some information from the QR code and display it in it’s code generation overview, so this may (or may not, in some cases) be sufficient to remember what the specific QR/2FA code is for.
Store the printed QR code in a safe location. The next time your phone breaks (and let’s hope there is no next time!), you can pull out the page, take your new phone, install Google Authenticator afresh (it will not have any 2FA codes in it anymore; Google Authenticator does not backup your 2FA codes online, nor does it copy them automatically when you get a new phone!), and simply rescan the code from the paper.
This works perfectly fine because the QR image is the same as before.
Pro tip: make the first scan of the QR code from your printed paper, not the computer screen. This makes no difference for the resulting 2FA codes being generated, but it ensures that the QR code on the page is readable by your 2FA application.
This would be especially recommended if you have a poor quality printer, or an older smart phone which may result in re-scan issues later on. If you have a laser printer and a modern phone, you should be fine to scan the QR code from either the printed page or the screen.
Enjoy ‘never’ losing 2FA / MFA access again!