What’s 2FA / MFA?
2FA stands for two-factor authentication, and MFA stands for multi-factor authentication.
Often these terms are used interchangeably, but they do not mean the same. 2FA is basically “two factors” (to authenticate yourself to someone or something) and MFA is basically “multiple factors” (again, to authenticate yourself), so you can think of 2FA as a subset of MFA. For the purposes of this article, we will use the term 2FA for simplicity, although in some cases you will use MFA.
Why would anyone use 2FA? For Safety. If you log in to Facebook or LinkedIn on a daily basis, and do so regularly from public or work computers, it is possible that sooner or later you will be using a compromised machine and your login name and username may be traced.
Even if you only have your own PC, your credentials can be compromised if you get some form of virus, malware, rootkit, or the like. Even worse are data breaches – and we know (or should know) that this happens regularly, even for large companies.
So how can you protect your login with an extra step that hackers can’t do on your behalf? The answer is 2FA. Simply go to the settings of your favorite website (Facebook, LinkedIn, Google,…) and activate 2FA authentication.
For example, you can use Google Authenticator (A Two-step verification program) from your favorite app store, and it allows you to scan a 2FA QR code generated by the website with your phone’s camera. Once you do this, Google Authenticator will continuously display short-lived 2FA verification codes that you will need to enter after logging in to the website you set up 2FA for.
So the next time you log in to your favorite website, you will have to enter your username, password and a 2FA verification code generated by Google Authenticator.
You often have to be quick, or wait a few seconds for a new verification code to be created by Google Authenticator, before you can copy the number from your phone to your computer (almost always manually), or from Google Authenticator to another application you’re using on your mobile phone.
Keep in mind that these days Google has a slightly different way to do 2-step verification. If you are using an Android phone, you will get the message “Have you just signed in?” pop-up when you log in to a Google-based account. It will save you some confusion when setting up 2FA for Google. They still allow 2FA codes, but expect to get the popup instead.
Help, my phone broke!
It happens. You just sat in your car and realized 2 microseconds late that your phone was in the back of your pocket. And maybe it wasn’t such a good idea to try and see if the phone really passed the drive-over test …
But what if the precious 2FA codes, now required to log in to your favorite websites, and only accessible from your phone, are now inaccessible?
The options are in this case very limited, very fast.
You may be able to contact the help desk of the respective website and prove your identity in another way, but this is cumbersome and painful.
You may also have been smart enough to save ten 2FA backup codes on the website when you created your 2FA configuration (this option is offered by most websites when you activate 2FA and should, IMHO, always be used). Let’s hope they are not saved on your phone 😉
Also keep in mind that many websites with 2FA support allow you to create such backup codes (usually a set of ten) at any time. So if you used some of the backup codes, it may be time to generate a new set (invalidating the previous set of codes!).
But isn’t there another much safer way to make sure that 2FA codes can’t be lost? There is.
Print that QR!
All you gotta do “the trick”, is to print the QR code!
You can right click on the QR image (before scanning it with Google Authenticator or your favorite 2FA code generator app) and click on ‘Copy image’, then open your favorite image editing tool and right click Click in the workspace and select Paste (or select the same from the Edit> Paste menu) and print the same. Or you can simply print the entire page from whatever website you are on.
You can even copy / paste and / or print the list of ten backup codes from the website on the page you are printing. If you are copying / pasting the image, make sure to make some sort of descriptive note on the paper to help you remember what the QR code is for (a 2FA code is simply a QR code made specifically to scan from 2FA applications), although the 2FA app will also read some information from the QR code and display it in the code generation overview, so this may (or in some cases not) be enough to remember where the specific QR / 2FA code for.
Keep the printed QR code in a safe location. Next time your phone breaks (and let’s hope there’s no next time!), You can take the page out, grab your new phone, and reinstall Google Authenticator (no more 2FA codes in it; Google Authenticator Do it not backup your 2FA codes online, nor it automatically copies them when you get a new phone!), and just rescan the code from the newspaper.
This works fine because the QR image is the same as before.
Pro tip: make the first scan of the QR code from your printed paper, not the computer screen. This makes no difference to the resulting 2FA codes that are generated, but it ensures that the QR code on the page is readable by your 2FA application.
This is especially recommended if you have a poor quality printer or an older smartphone, which can lead to rescan issues later on. If you have a laser printer and a modern phone, you should be fine scanning the QR code from the printed page or screen.
Enjoy 2FA / MFA access ‘never’ again!