Multi Factor Authentication: 10+ days without Authy, Google Authenticator, Aegis and SMS

Note; I have written this account in a vague style, to preserve a shred of OPSEC about how I authenticate.

I will not lie at all. I had difficulty with my phone usage. I would check it all the time for updates on the world, and it started to drag on me.

When my phone died (indefinitely) I tried to make lemonade with the lemons life gave me.

I had a working laptop, passkeys and a password manager. But there was a nagging, difficult question: What was I going to do about Multi Factor Authentication without the apps on my phone? You know, that ritual of modern life, where you bring out your pocket computer apps and type in a series of digits to authenticate.

Race against the clock, choose if you have enough time, and type in those letters or numbers!

As it turned out, I had accumulated 3 different MFA apps on my phone. Two of them had approx 5 accounts and a third had a single thing. Then there were all those websites and groups that still wanted to use SMS…

…

The fear hit me. It hit me really hard. For several days after my phone had inflated, I paced and thought that some day soon I would need to do MFA for a task and be unable to get in.

Disaster averted… so far… Pretty sure I have backup codes…

I was able to save Android backups successfully before the phone died. I have yet to receive my new phone to install that backup and ensure the integrity of those apps on the new device and to what extent things are ported over. As far as I understand the codes will be backed up to the cloud… but Ill have to wait to see.

Not trying anything before its needed. But diversifying while I can.

I started to prowl my accounts and my password manager. Places want the two things to get in. So many of them.

I found GitHub let me use my passkey as a auth to change the authenticator to my password manager. One critical piece of infrastructure re organized I thought.

And then I tried to get into a domain registrar… no dice! They say they can fix it but require “Extensive account verification”.

I can wait till my new phone arrives… Ill see how it goes.

March 5 is the new phone arriving… and then a new piece of news hit me that I had SMS this whole time…

It turns out Google Fi has had a web client this whole time to send SMS and make calls, that because I am a billpayer with an active account works from the phone number of my defunct phone. Its like a ghost phone on my laptop.

But can it be used for auth?

Apparently Google Fi messages for the web cannot be used for SMS 2FA… but does this only apply to Google itself?

You can’t receive two-factor authentication text messages with Messages for web. To receive these messages, you must use a phone.

I had to test this for myself. I tried a account with a non google tech company that had SMS as the preferred method and then got in with a fi web message!

This was easier than I thought it would be. Some conclusions…

1. Don’t panic

2. Take regular backups

3. Store the codes they give you in a safe and accessible place

4. Consider diversifying your sign in methods to include a password manager and some pass keys.

It is possible to ask oneself- what will I need within a few days? If you have a laptop or device with a password manager, you might be in a good spot.

I still haven’t completed this process… We shall see how it goes when I get the new phone.

I got some limited SMS back, I had codes and passkeys to reconfigure things, but a few things will remain waiting until the update takes hold on my new device. Here is hoping!

• Pixel 7
• Defective Battery
• Hardware
• Software
• MFA
• Authenticator
• Experience
• Lost Authenticator
• 2FA