When Phone-Based 2-Factor Authentication Fails

Trying to sign in to your TurboTax account to file your taxes for the year, you fill in your username and password and press submit. Easy enough. The next screen loads telling you “We sent an SMS to your phone, please enter the code now.” Your eyes roll. You go looking for your phone which is lost in the abyss that is the space between couch cushions. This might only be a minor inconvenience, but what if the circumstances had been different? 

Imagine you are out of the country on business, and attempting to get into an app for work. An SMS is sent to your phone, but your phone can’t receive texts without incurring a fee. If the task is important enough, you incur the fee. Once again, only a minor annoyance. If you don’t get service at all, it could hold up production.

Now imagine you are in the armed forces and while deployed overseas, your phone number is disconnected. You return home and attempt to reintegrate into society, but all 2-factor authentication accounts require you to use your old phone number. Recovering these accounts can take days. While more disruptive, you can lean on your support network to help you until you get back on your own two (digital) feet.

Could you imagine fleeing a dangerous relationship? You go to the store and obtain a new number and phone so that your partner can’t reach you. But the new device isn’t authorized for use with your iCloud account, even though you know your password. They send a text to confirm your authorization, but it goes to your abandoned phone. Notorious for their multiple business day account recovery process, the Apple representative says their hands are tied. You are stuck unable to make app purchases or access any of your protected tools or information for days. Your network is reduced. Your attempt to flee as a whole is hindered.

So what’s the solution? The good news is there are already a few viable options out there. Some are better than others for a given situation. Porting your number to Google Voice allows you to send and receive SMS and voice calls that are device-independent, but only in certain countries. Alternatively, at initial account creation or when 2-factor is activated, several one-time use recovery codes are provided and can be printed and stored in a private location. These codes are be only known by the account holder, and are only to be used for account recovery. Recovery codes are a viable option for the latter two scenarios. As another option, I’d like to see companies that have storefronts (e.g. Apple, Microsoft) take government IDs as a recovery mechanism. For example, if you need a speedier recovery of your iCloud account, going to the Apple store and showing a representative your driver’s license or passport would be sufficient to authorize a new device for your account.

Phone-based 2-factor might simply be an annoyance in the name of security, but a minor annoyance for those in stable situations can be an insurmountable obstacle for those in turmoil. It’s easy to lose sight of the broader repercussions of an inconvenience. Because of our society’s helplessness without technology, it’s evermore crucial to consider all scenarios, mundane or dire, when implementing new security measures.