How Two Factor Failed Me

Two Factor Authentication

As a security conscious person two factor authentication has always been an attractive solution to me.  It provides a quick and easy way for me to add an extra level of security to my online accounts without having to remember yet more passwords.  But what is two factor authentication?

Two factor authentication is the idea of accessing your accounting something you know, such as your password and then uses something you have which can be anything from a mobile phone, to an authenticator gadget or app.  In my case, many of the websites I use two factor authentication on use my phone and a text message.

Not long ago I discovered that I could enable such a mechanism on Facebook.  Traditionally Facebook uses their own app to generate security codes in order to get into your account, however they do provide the option to hook your phone up to your account. Armed with this I went about having the code to verify my phone sent via text, completed setting up my account. Simple right?

A few days went by and things were going pretty good, I didn’t have a need to use my two factor on Facebook since the computers I was using were already known machines.  That is until I did the regular maintenance I do on my computers and deleted the cookie facebook plants on your machine to identify you.  Normally this process is pretty trivial, I delete all of the records from my computer, log into my password manager, and slowly all the apps I regularly use begin to remember me again.  But like any story worth telling, today was not going to be the same.  Today was going to begin journey down a painful road.

Once i got to my Facebook account I entered my credentials like I normally would, and clicked sign in.  Only instead of being greeted by my newsfeed, I was greeted with their two factor authentication window

Two Factor Authentication Screen
Facebooks two factor authentication screen

Of course at this point I was unconcerned, of course I thought to myself, I set this up not 3 days ago.  I quickly located the “Can’t find your code?” link and prompted facebook to send me a text message so that I could proceed to my account.

text message a code
facebooks various options when you can’t use the authenticator app

After waiting for several minutes, and not getting the code I began to worry something may have gone sideways.  So I tried clicking the button again.  This produced a similar result… nothing.

Undeterred I decided to try and contact facebook, I figured it must be something simple and they certainly would be able to help and get this mess sorted out in no time flat.  This would be the case except for one small detail… They want your identification

request form
In a post-Snowden internet, I don’t necessarily want to give away this information to any corporation

In facebook’s defence, they are taking the security of the users on their site very seriously, and they do promise to permanently delete it from their servers.  The issue I have here is in a post Snowden world, do I really want to be sending such sensitive information over the internet, and especially to a large organization who’s primary income comes from collecting information?

I decided to try filling out the form, and omitting the image, thinking all I really need to know is if it’s a network issue or an issue with Facebook not sending texts.  I haven’t after all lost access to my account, I still have the same phone number, and I know my credentials.  What separates me is a 6 character code.

I decided to move on to my phone carrier.  The first time I called the conversation was brief and largely unhelpful I did appreciate that the tech asked if I had performed the troubleshooting steps (battery out, power cycle) without forcing me to do them.  However having finished that he said it wasn’t something he could deal with and gave me the number to my phone manufacturer, this being a dead end as I was unable to reach a human.

I have since called my carrier back and they have made a ticket to investigate the issue and I will update this article should any updates come up.  However I’d love to hear any suggestions you guys might have!

So What Should I Have Done Differently

One thing that I would like to say is that two factor authentication is a GREAT tool to prevent unauthorized access to your account.  There have been cases where people have lost swaths of their online lives because an attacker was able to use social engineering to access the victims account without a password, and having had two factor authentication would have stopped them in their tracks. 

There are a number of things that I could have done to made this process much faster and a non issue

1. Used back-up codes

I normally print or save in a secure location a list of backup codes for my accounts just in case my phone gets broken, disconnected or I otherwise lose access to it.  These codes are longer then the two factor codes and they expire after one use.

2. Set up a secondary authentication method

Facebook gives you the option of choosing three trusted friends to regain access to your account should you get locked out, I chose not to do this step since at the time I couldn’t think of three people who I wanted to give this power to.

3. Confirm that my phone would work

Although facebook sends a code to the phone in order to insure it can get them before even allowing you to set up the two factor authentication, I should have tested it worked before committing the changes and erasing the tracking cookie from my computer

4. Set up an application specific password

These passwords are alternate passwords you can use when the device you are using can’t do two step authentication, and would have at least given me in term access while i worked out why my codes weren’t working

In conclusion, I still highly recommend using two factor authentication.  I would say however think carefully about your backup plan in case something does go wrong.  I guess at least for me this is a great vacation from my social media account, and a great lesson in balancing security and practicality.

Leave a Reply

Your email address will not be published. Required fields are marked *