This is part of a series where Taylor pulls sweet comments she's made in the hope that they can be useful, searchable, remembered, referenced, and / or aid in the creation of future Knowledge Base posts.
My phone got stuck in boot-loop a ways back so I am intimately familiar with this situation.
The easiest way is:
When you created your 2FA sign in with most sites, including Google, they provided you with
backup codes. These are typically 10 codes made up of random character sequences like
we44 k29d lw0d jwld nels 39ik and so forth. Each of these can be used once in case you do not have access to authenticator.
Store these backup codes like you would store a private key. Do not save them to your computer or Dropbox. Do not send them. Do not post them on Reddit. Write them down or print them out and store in 2 physically different locations.
The other option, which is actually way easier, especially since my phone dies from constantly getting notifications, is to set up your 2FA on two devices whenever you enable 2FA or create a new account. Perhaps you can make use of that old, rooted Amazon Kindle or iPhone 5. Factory reset and ensure it's not able to connect to the WiFi, and turn on airplane mode.
You can also print out the QR code itself that you originally use to add to Google Authenticator, so that if you ever need to reset 2FA, you can do so. If you don't have a printer, you can typically click the "show code" or "can't read the QR code?" etc., and get a text version that you can then write down. Pro tip: make sure you label what this QR code or text code is (e.g., "2FA for Poloniex").
It isn't inherently insecure, but it was surprisingly easy to regain access to all my accounts even though I had minimal backup codes stored in a multitude of locations over a few years.
For non-Google accounts, it's pretty easy to restore access in one way or another, either via the above methods or going through the process of bypassing 2FA with your email account. A pain, but not impossible.
You can also break out that old computer and see if you are still logged in anywhere, and can disable it. Or see if there are other access methods, like SSHing in or OAuth where you can set up a new account via a Facebook or Twitter account that uses the same email address as the account you already have, and see if you can sneak in that way.
There are a few that you will not be able to get into. In those cases, you will need to reach out to the service itself and see what you would need to provide in order to get them to turn off 2FA for you or otherwise bypass.
I strongly encourage everyone to have a beer, turn off your phone, and see what accounts you can get into without your 2FA codes. If you can get in, you need to adjust your settings to be more secure AFTER you actually have viable, secure, offline backups of the recovery codes.
Didn't find what you were looking for? Contact Us
MyCrypto is an open-source tool that allows you to manage your Ethereum accounts privately and securely. Developed by and for the community since 2015, we’re focused on building awesome products that put the power in people’s hands.
Subscribe to MyCrypto
Get updates from MyCrypto straight to your inbox!