Why is recoverability important?
There's the obvious point of you needing the means to recover access to your accounts should you ever lose it for some reason. But recoverability should also be considered as an important security measurement. Think about it, if the recovery process for your account is weak essentially your whole authentication process is just as weak. We need to consider the weakest link in the chain.
For example security questions used to be a common recovery mechanism. Those worked by asking you some question beforehand like "What's your mother's maiden name?". If you ever lost access to your account you would need to answer one or a couple of such questions and voilà, you'd be let in. Now, why is this bad. Your mother's maiden name isn't especially hard to figure out, neither is the name of your first pet. An attacker might do that by means of public records, for example what you publish on Facebook or using simple social engineering. A great example of social engineering is this scene from the movie "Now You See Me".
.
What do I need to consider?
Your passwords
I'm sure you've heard countless times that you should be using a different password for every service you use. And that is absolutely true. But human beings aren't that great in remembering stuff, especially not complex combinations of letters, numbers and other weird characters. At least I'm not great at remembering that stuff. So what do you do? You use a password manager.
Using a password manager you only have to remember 1 (one) password to login to the password manager and it handles all the other passwords for you. Now if one of your passwords is leaked on some service you only need to go and change that one password instead of having to change all of them on all of services you use.
But you need to make sure to maintain access to your password manager even if you lose or break a device. Usually a password manager hands out some sort of "emergency kit" which you need to store safely (more on that later).
Your e-mail address
You've probably used the "I forgot my password" mechanism a couple of times already. Usually that boils down to them sending you a link to your e-mail address that you can use to reset your password.
If anyone we're to gain access to your e-mail address they would instantly be able to reset most of your passwords or lock you out completely by changing the password to your e-mail address.
So how do we protect ourselves against this. There are several ways (go figure :)). First we would try to raise the security of our e-mail address right? Right. To do that we would ideally go passwordless (more on that later) or configure something called "Multi-Factor Authentication" or "MFA".
As the name suggests that works by adding an additional factor to your login process. Consider your password the first factor. A second factor could then be an app on your phone that displays a one-time code or simple SMS messages. You've probably already encountered something similar when interacting with your bank online. (SMS messages aren't especially secure - but they're still far better than not having a second factor). There are also hardware based second factors, make sure to read to the end before configuring MFA everywhere ;).
So now if someone knew your password and tried to login to your account they would also need that code you have on your phone. This second factor mitigates 99% of all phishing attacks.
Now you might ask "but couldn't I also use MFA for accounts other than my e-mail address?". And you'd be absolutely right - you can and you should.
You should aim to use MFA for every service that supports it. But especially, and I can't stress this enough, you absolutely have to use MFA for your e-mail address and your password manager.
Your MFA
So you went ahead and configure smartphone app based MFA for all your accounts (they're called "time-based one-time-passcode" or "TOTP" by the way). Good on you, but what if you lose that phone, break it or upgrade to a new one? Those codes are local to your device and unless your chosen authenticator app offers a backup feature you'd be out of luck (that backup is also a bit sketchy).
If you're thinking "oh I'll just go and use the password reset process again", I'm afraid you'd be mistaken. Remember the goal of having a second factor is to prevent someone who only knows your password from logging in and if you can recover an account you can log into it. So recovery for passwords and second factors need to be just as separated as the normal MFA process - otherwise the whole concept would be broken.
So what do you do?
Oftentimes a service offers you something like "backup codes" or "recovery codes" that you should store safely (like the emergency kit for your password manager). Those codes then allow you to reset your second factor. That's kind of a pain though right? Right. Enter security keys.
Sidenote: some service may not offer you recovery keys, for those you could just store the QR code used to setup MFA in the first place. With that you could just reregister.
Your security keys
There is another option for MFA that is far more portable than a phone, far cheaper and even more secure. Sounds to good to be true? Trust me, it absolutely is. It's called a "FIDO2 security key" and it's basically a tiny USB key you can carry around with you on your keychain or in your wallet. They usually cost somewhere between 30 to 80 bucks depending on the feature set. That little key could then store your TOTPs instead of your phone by using an app called "Yubico Authenticator" (not associated, just like their stuff).
You just open the app, hold it against your phone and voilà there are all your TOTPs. But you're not tied to that phone - or any phone at all, there's an app for your computer too.
Note: Storing TOTPs on a security key is a feature of Yubico Authenticator. Supported keys are listed here
So it's more portable - check. It's cheaper - check. But how is it more secure?
So it's more portable - check. It's cheaper - check. But how is it more secure? Well, see, you'd probably use your password manager on your phone as well (which is definitely a good thing!). So you'd store your TOTPs and your passwords on your phone. If you store your TOTPs on a security key they're truly separated from your passwords.
But the main feature of security keys isn't the ability to store your TOTPs on them - no no, they're far more versatile than that. For example that whole passwordless thing I teased earlier on, that's a FIDO2 feature (but still, more on that later on ;)). Another feature is called "Universal 2nd Factor" or "U2F". U2F basically serves the same purpose as the TOTPs do. Meaning you can drop the whole authenticator app shenanigans altogether - on services that support U2F that is.
You would register your key as your second factor and whenever you want to login you still use your password but for your second factor you just plug in that key (and tap the button on it) or just hold it against your phone.
This is quicker and more secure than TOTPs so whenever you can register a security key, I suggest you do so.
An even more important point to consider U2F over TOTP is that U2F can't be phished. U2F works using some fancy certificate magic in the background. That enables it to verify that the site you're trying to login is in fact that site and not some imposter trying to get your login data.
Cool, those are tiny though, even easier to lose, what if...?
Well, that is true. So how would you recover from that?
First there's the use of recovery codes that we already know from app based MFA (TOTPs). But the most common suggestion is to have a spare security key and register both of them for every service. You'd then store the second key somewhere safe and use that to regain access should you ever lose your primary key.
Can we finally get to it?
Yes yes, so now we know about password managers, MFA and security keys and how we can recover from losing devices. Throughout this post I routinely say "store x safely" and that is the primary objective of this post. So how do you store your recovery codes and emergency kits safely? These are just text files after all.
Well you could store them on some cloud storage service like OneDrive, Google Drive or iCloud Drive. But that isn't particularly safe as anyone who would gain access to your account for that would get the keys to your kingdom. Furthermore if you were to lose access to that you'd be back where we started - locked out of your accounts, just with more effort this time.
It's basically just text so why don't I just print them? Well firstly I have a deeply rooted hate for printers. But more importantly that wouldn't be secure at all would it? Anyone who finds those pieces of paper again get the keys to your kingdom.
Fortunately there is something in between. Something secure, local and technologically advanced (at least more important than paper). Exactly, a USB key. A USB key is easy to store, easy to use and doesn't require you to maintain access to some obscure account.
But if anyone steals that key they'd just be one step away from gaining the keys to the kingdom as they would if everything was printed.
Well that is why we use an encrypted USB stick for that. You could use some software to encrypt that data but you'd have to trust that software to be around for years and make sure you're up to date etc. What's far easier to use and (arguably) even more secure would be a hardware encrypted USB stick for example Verbatim's "Fingerprint Secure USB-Stick". With that you don't even have to remember a password for it.
Additionally, if you want, you could also register the fingerprint of a loved one so they can access your stuff should anything bad happen to you. Just as I promised in the beginning of this post. Maybe add some readme file to the stick with instructions on how to use the information contained on it and/or a link to this article 😉.
You store that key somewhere safe (alongside your backup FIDO2 security key). I suggest you keep it somewhere accessible because you're probably going to have to add another set of recovery codes to it every now and then. And the best security is the one you actually use. Sure, common business backup practice would be to store a copy of that off-site in case of the building burning to the ground. But would you want to travel 10km every time you have another set of recovery codes to safely store?
You mentioned passwordless, what is that about?
So after all of this boring security talk there is one more thing that is going to make most of the above obsolete in the coming years. Passwordless authentication.
If you don't have a password it can't be phished nor can it be leaked. Also the user experience is orders of magnitude better.
The FIDO2 security keys I mentioned in Your security keys are capable of another FIDO2 feature called WebAuthn.
In IT we like to create obscure abbreviations for everything. Authn is just short for authentication. The counterpart would be Authz which means authorization.
As the name suggest in this scenario you don't have a password at all. You just need one of those security keys and a username. But what about MFA? Well in this scenario the security key isn't quite all there is to it. You would also set a PIN (similar to your debit or credit card) or use some sort of biometrics like your fingerprint. That makes the security key be your first factor and the PIN/biometrics your second factor.
Unfortunately WebAuthn is still fairly new and only a handful of services support it. But where it is already supported, the experience is magnificent. And, just like U2F, WebAuthn can't be phished either.
In WebAuthn there's another thing called "platform authenticators". With that your device itself becomes the authenticator. But that's another nuanced topic for another time.
Actionable checklist for setup
Would be quite rude to ramble on this long and not give you a checklist wouldn't it?
So here you go:
Note that this checklist may seem daunting. But it's definitely worth it. While going through all this I'm sure you'll find some accounts you no longer need. Instead of just abandoning those I'd suggest deleting them outright.
Once you've done all that it's going to be mostly smooth sailing. You might sign up for the occasional new service where you'd need to follow the considerations again. But, like with everything else, just maintaining that practice is far easier than having to do such big bang tasks.
The easy way
Now contrary to common belief (at least I think it's common) features like "Sign-in with x", as offered by Apple, Google and Facebook, isn't a bad thing at all. It's actually a very good thing, as long as you make sure to properly secure the Apple/Google/Facebook account.
If you're thinking about going that route there's a couple of things to consider:
- How much do you trust your Identity Provider (Apple/Google/Facebook)?
- Do you worry about ecosystem lock-in? (They may make it intentionally difficult or even impossible to migrate away from one provider to another)
- Do you read the prompts when signing up thoroughly? You may grant a service a broad set of permissions if you're not careful
If you have any concerns about any of these, you're better off following the previous parts of this post.
Notes from the field
I recently got a new phone which is what prompted me to write this article in the first place. I used to use TOTP for most things and I used Microsoft Authenticator to facilitate that. Because of all the shortcomings of that approach I went ahead and migrated all my stuff to follow the practices described here.
I personally use 1Password to manage all my passwords and I've previously cleaned up all my accounts already. So for me it was mostly just maintenance, though there were a couple of accounts I no longer used and therefore closed (sometimes that's as easy as clicking "delete account", sometimes it requires privacy requests or some other sort contact).
While following the approach above I noticed some stuff that I want to talk about here.
1Password has this nifty feature where it tells you which of your accounts support MFA
- Many sites require you to register a phone number for SMS based recovery
- Some sites offer no recovery mechanism whatsoever (that was actually surprising)
- Very few sites support full passwordless WebAuthn
- Some sites allow you to register FIDO2 keys as a second factor but still require TOTP to enable MFA
- Using a Yubikey for Yubico authenticator limits you to 32 TOTPs per physical key
- Some sites don't support FIDO2 keys if you're not on a specific browser and don't tell you about it (looking at you Microsoft)
I'm not going to lie to you, that process sucks. But it's well worth it for the peace of mind of knowing your account security is raised and you know how to recover an account should you ever break or lose your device. I hope this post helps you raise your online security and keeps you from losing access to any accounts ever again.
Thank you very much for reading.