Recover Without Another: Take control of your MFA and Recovery
In the last couple of years, vendors have stepped up in providing account recovery and multi-factor authentications for our precious precious data. However something that bugs me is how fragile our MFA and recovery setups can be. Wanna fix it?
The problem with recovery and MFA methods
SMS (Text Notifications)
The humble SMS message, for many it is the last bastion of account recovery if everything else goes to shit. For others, it is an easy form of MFA if you don't have any authenticator apps installed.
Here are two threat scenarios to think about when using SMS as a recovery method:
Threat Scenario One: I'm a targeted individual with a real threat of accounts being hacked.
If you are a targeted individual, then SMS for MFA or recovery can be a real concern. Attackers are frequently using 'sim swapping' social engineering attacks to redirect SMS codes to them. The news site KrebsOnSecurity even has an entire category for stories involving sim swapping.
Threat Scenario Two: I'm not a targeted individual, but I sure love not losing my stuff.
Even if you don't have anyone out to get you, using SMS as a recovery or MFA code can be a real pain if you change your number.
You also don't own your phone number. Missed payments or even the will of your provider can affect if you have access to it at any time.
This leads to an all-to-familiar situation where an account cannot be accessed as the recovery method was an old phone number.
Recovery Email Address
A recovery email address is an extremely common recovery method, sometimes even demanded by account providers.
Emails can suffer the same weaknesses that SMS tokens do, you need to rely on that email being accessible for the foreseeable future. Both Google and Microsoft have (rightly so) started to delete inactive email accounts, meaning that if you have an old account tucked away as a recovery email, you need to make sure it is signed in to regularly.
Personally, I don't want to trust a provider that reserves the right to delete my email at any time.
Emails can also be hacked, if your recovery email is breached then attackers have the keys to your kingdom.
Authenticator Apps
This one may be considered a spicy opinion by some.
Authenticator apps are undoubtedly the strongest of the recovery and MFA methods I have discussed so far.
I used authenticator apps for a long time, but then asked myself, what is the backup for my authenticator app if I lose my phone?
An SMS code and a recovery email....
So although I used a good form of recovery and MFA, it was in fact, no stronger than the recovery to my recovery.
Making a secure recovery/MFA chain
If my thoughts on recovering my authenticator app unsettled you a bit, then keep reading.
After discovering the fatal flaw in my recovery/MFA methods, I set out to set up a chain of recovery that relied on myself and myself only.
I needed a few things:
1. MFA that was only recoverable by recovery codes
2. A recovery method that didn't rely on an email, SMS or an authenticator app that was backed up using the other methods.
3. A secure way of storing recovery codes.
4. An email that I can access without having to rely on a specific provider.
WARNING: If you want to go through with the methods I suggest below, you need to accept the risk of messing up bad. By relying on yourself for your MFA and Recovery, you really have no backup apart from the measures you put in place yourself.
1. Hardware Keys
Hardware keys are a great way to do MFA, they rely on you having access to a physical device for your multi-factor.
Not all sites support hardware key authentication or passkeys. So it is important to choose a hardware key that can support FIDO tokens (the same ones used by mobile apps).
I personally use a Yubikey 5 series, it comes with an app I can install on my phone and PC for when I need to use my FIDO tokens.
Hardware tokens cannot be recovered by an email or SMS, so make sure you buy two and get used to adding new MFA tokens to both devices.
Keep one key on your personal key chain, the other should be stored somewhere secure at home, only to be brought out when adding new MFA tokens.
2. MFA Recovery Codes
MFA recovery codes are the crux of your recovery chain. These little text files can help you out in a situation where both hardware keys get lost/stolen/damaged.
MFA recovery codes for your normal accounts should be backed up and stored securely, but in a place you can always access them.
3. Secure recovery code storage
Storing recovery codes should ideally be done using a 3-2-1 backup system. So that means, three copies, two different forms of media, and one off-site (cloud). Encryption should be used with every copy.
I have backups stored in three different places:
- A local copy on my PC in an encrypted folder.
- A copy on an encrypted USB flash drive.
- A copy in an encrypted folder in the cloud, used as the 'production' copy of my data that I access daily.
For cloud storage, use something like Cryptomator to ensure your files in the cloud are encrypted by you, not the provider. This way you can use any cloud storage provider without having to worry about your recovery codes being compromised by attackers or the provider itself.
I also have a laminated piece of paper with emergency backup codes for my encrypted folders.
If this is all set up correctly, something pretty drastic would need to happen for you to lose absolutely everything. Make sure to update backups on a monthly basis!
4. A domain name for your email
The majority of your 'normal' accounts will need to use an email to recover the password. So we need to make sure it is as available as possible.
This isn't the perfect solution for point four, but having a domain name for your email can prevent you from being 'locked-in' to a vendor for recovery. I currently use proton with my email set as a domain I own. If I need to change provider, I can just change the DNS settings on my domain.
This means I don't need to change my email on all my accounts.
Summary
Taking control of your MFA and recovery costs both time and money to initially set up. However once you have set up your MFA and recovery like this, you can be sure that you are in control and don't have to rely on a provider that could be breached or go out of business.