What If I Lose My Yubikey or Google Authenticator?
2FA (two-factor authentication) is a great way to protect accounts. If you’re trying to secure your business, you might be considering the use of a physical protection key (such as the Yubikey drive) or apps like Google Authenticator for your employees.
But that does introduce a question. What happens if an employee loses their Yubikey?
Today, quite a few banks and other apps are using solutions like Yubikey or Google Authenticator. Many businesses are also requiring them for their employees, too. Most accounts today need an email address or text message for two-factor authentication. But the question becomes, what happens when your employee loses access to that second factor?
It differs depending on device.
What If I Lose My Yubikey?
If you lose your Yubikey, you can still use your phone authenticator app, but you cannot create a backup Yubikey. However, Yubikey also provides methods to recover your account, so you can get a replacement.
An advantage to Yubikey is that it comes on a USB that cannot be identified. So, if anyone finds your employee’s Yubikey, they won’t know what machine goes to. On the other hand, there are some weaknesses to Yubikey if your business’ IT team hasn’t configured it correctly.
When you first adopt Yubikeys, the IT team can choose how – and if – employees can recover it. Some of the methods of recovery may be more vulnerable than others. Think carefully regarding whether you want to keep those options open or whether you want to close them. This goes doubly for IT departments first looking to adopt Yubikey – how much ease of recovery will you tolerate in exchange for less security? The greater the security, the better, but expecting humans to never make a mistake or lose something may be unrealistic.
In short, your employees can almost always recover a Yubikey. But the methods that they can use to recover your Yubikey may vary depending on your configuration. And some of those methods could open your business up to security vulnerabilities.
What Happens If I Lose My Google Authenticator Device?
Your employees can choose a new Google Authenticator device using the backup codes they’ve been given. For most people, your Google Authenticator device is going to be your phone. Google knows that people lose phones all the time. So, if you lose your Google Authenticator device, you will still be able to recover your Authenticator account.
There are multiple methods that an employee can choose to authenticate their account. You can authenticate by text or by email. Of course, this again does present a vulnerability. For instance, if someone spoofs your number, they might be able to gain access to your authenticator account.
Number spoofing is one of the major challenges when it comes to 2FA based on mobile phones. At the same time, most attackers aren’t advanced or determined enough to spoof a number for the average employee – this is more likely to happen with high-value targets such as business executives or those who are in control of major intellectual property.
Like Yubikey, there are few ways to entirely lose your Google authentication. As long as you’re able to go through the recovery process, you should be able to use the authenticator. If you can’t find a way to get into the authenticator, you can usually reset your account.
There are many accounts that customer service representatives can override. If you call in, they’ll be able to go over your identifying information with you, ensure that it’s you, and give you a new login and password.
At the same time, this again shows a weakness in the system; it’s always possible that someone could social-engineer their way into accessing your account. But in so doing, they will leave far more of a trail than if they could just access it directly.
Two Factor Authentication: What If I Lose My Phone?
Many people are concerned about losing their phone. There are two general systems when it comes to two-factor authentication through a phone: app-based and phone number-based.
Some two-factor systems will send you a text message through your phone that you can reply to. In other words, your authentication doesn’t live on the phone, it lives on the phone number. If you lose your phone, your new phone and new number will still receive these authentication texts.
So, there’s nothing you need to do about losing your phone except replace it.
Now, if you authenticate through an app, usually it’s tied to the device in some way. You will need to reaffirm your account and prove that you’re you. Usually this, also, is through a text message or email address.
One of the critical potential issues with many 2FA and MFA systems is that they ultimately come down to a phone number or email address, insofar as even if the system requires a physical dongle like Yuibkey or other method of connection, you can usually reset it through this.
But that’s not always true. You can also choose greater levels of security for your business system; just know that it may become a more complicated situation should your employees actually lose their device or their authentication.
The Advantages of 2FA and MFA
Two-factor authentication and multi-factor authentication just make sense. They’re the best ways to secure a system. But there can be some problems if you lose one of the factors that you’re using to login.
Before you start deploying 2FA or MFA across your business, make sure you and your workforce know what the procedures are if they lose their device. This will ensure that you can head off any issues in the future.
There are some systems (notably some cryptocurrency systems) in which you simply cannot get your key back if you’ve lost all your data. Because of this, you should always be cautious when setting up accounts.
If you’re trying to safeguard a very important account, you may just need to have very rigorous standards. Something like a Yubikey can be valuable because it gives your employees a physical, separate device that you need apart from your phone.
Do you have questions about 2FA or MFA? Talk to the experts. Request a demo today to find out more information about authentication devices, credential services, and what 2FA and MFA can do for your business.