Solved Backup Devices for MFA


Haydon

Well-known member
Member
VIP
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
It is dangerous to have only 1 device for Multi-Factor Authentication (MFA) If you go out fishing and drop your MFA phone in the lake, you lose access to your MFA accounts :scream:

As a backup device for MFA, I use someone else's phone in my household. I have never actually needed that other phone for backup but every now and then I do try it out to make sure that the backup still works. Moreover, some but not all MFA accounts can send the security code by voice to an ordinary landline phone (I am too cheap to subscribe to a text-to-landline-phone service)

What backup devices for MFA do YOU use?
 

My Computer

System One

  • OS
    Windows 10 Pro

The-Hive

Well-known member
Pro User
VIP
Local time
9:27 AM
Posts
3,525
Location
Wiltshire UK
OS
Windows 11 Pro
Beyond me :LOL:
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Alienware Area 51m R2
    CPU
    10th Gen Core i9 10900K
    Memory
    32GB
    Graphics Card(s)
    Geforce RTX 2080 Super
    Screen Resolution
    1920x1080
    Hard Drives
    C: Samsung 2TB P981A
    D: Samsung 2TB 970 Evo
    Mouse
    Alienware AW610M
    Browser
    Chrome and Firefox
    Antivirus
    Norton
    Other Info
    Killer E3000 Ethernet Controller
    Killer AX1650i Wi-Fi Network Adaptor
    Alienware Z01G Graphic Amplifier
    Tobii Eye Tracker
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 3501
    CPU
    11th Gen i-7 2.80 gb
    Memory
    16Gb
    Screen Resolution
    1920 x 1080
    Hard Drives
    512Gb SSD
    2GB External drive
    Browser
    Chrome
    Antivirus
    Norton

Quandary

Active member
Member
VIP
Local time
4:27 AM
Posts
182
OS
Windows 11
Phone & PC running Authy.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP / Spectre x360 Convertible 13
    CPU
    i5-8250U
    Motherboard
    83B9 56.50
    Memory
    8GB
    Graphics Card(s)
    Intel(R) UHD Graphics 620
    Sound Card
    Realtek High Definition Audio(SST)
    Screen Resolution
    1920 x 1080
    Hard Drives
    Toshiba 256GB SSD
    Internet Speed
    500Mbps
    Browser
    Firefox, Edge
    Antivirus
    Windows Defender

cereberus

Well-known member
Power User
VIP
Local time
9:27 AM
Posts
1,669
OS
Windows 10 Pro + others in VHDs
Buy a new phone when you get to shore. :rolleyes:
Yep - MFA is tied to the mobile number. I had a phone stolen - got it locked, ordered new phone and sim, problem sorted. Why would I bother having a backup when the (future backup device) is in the power of my debit card?

re. losing existing phone - buy a £5 neck lanyard.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0

Haydon

Well-known member
Member
VIP
Thread Starter
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
Folks, your sites must have really lax MFA that can be easily bypassed with a new phone & sim card. Would that not defeat the purpose of MFA, since it would provide no more security beyond a mere password.

More secure, and hopefully more common, is to configure MFA on better sites with with pre-arranged ways to authenticate yourself. If one way fails, then you can authenticate yourself with at least one other way. That's the backups that I am talking about (and that I have used over the years for banks and other important sites)

Makes sense?

Edit: I was thinking of buying a phone with dual sim cards with an office # and a home #. If I go on my famous fishing trip and drop that famous phone in the famous lake, then I would be in double trouble. That's the impetus for this thread, having backups in different physical media that you don't jeopardize at the same time.
 
Last edited:

My Computer

System One

  • OS
    Windows 10 Pro

Haydon

Well-known member
Member
VIP
Thread Starter
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
No more comments? At least someone understood the issue by tossing up Authy which is pertinent, especially with 2 devices (phone & pc)

A word of caution for people reading this thread, don't go overboard. For my most important sites, I use my max:

text or voice to mobile #1
text or voice to mobile #2
voice to landline

That's 3 devices and 5 MFA options, and issue is that the higher the count the bigger the attack surface becomes (something like an additional authenticator app adds to the tally)

FWIW, for unimportant sites, I don't even use MFA :scream:
 

My Computer

System One

  • OS
    Windows 10 Pro

cereberus

Well-known member
Power User
VIP
Local time
9:27 AM
Posts
1,669
OS
Windows 10 Pro + others in VHDs
Folks, your sites must have really lax MFA that can be easily bypassed with a new phone & sim card. Would that not defeat the purpose of MFA, since it would provide no more security beyond a mere password.

More secure, and hopefully more common, is to configure MFA on better sites with with pre-arranged ways to authenticate yourself. If one way fails, then you can authenticate yourself with at least one other way. That's the backups that I am talking about (and that I have used over the years for banks and other important sites)

Makes sense?

Edit: I was thinking of buying a phone with dual sim cards with an office # and a home #. If I go on my famous fishing trip and drop that famous phone in the famous lake, then I would be in double trouble. That's the impetus for this thread, having backups in different physical media that you don't jeopardize at the same time.
Who is talking about a new sim card? I was talking about a replacement with same number. You cannot easily get that from sim supplier without proof of identity. Anyway MFA varies from app to app. My work uses telephone call back, MS Autherlnticator or registered email. Others just use text messages/code.


I just am not worried enough about losing my phone to go to inconvenience of using a separate device. I can always recover with 24 hours or so even if phone was lost in worst case.

Anyway, that approach does not help you when out and about if using a text based authentication method to a set number on a phone left at home.

i prefer to use MSAuthenticator where possible. Email authentication is handy as next best option, or fingerprint etc. However, many apps still just text a code to your phone and yiu have no choice of doing otherwise.

To me the pros of using a secondary device are outweighed by the inconvenience..
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0

Haydon

Well-known member
Member
VIP
Thread Starter
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
Well, you did say
new phone and sim
good that you clarified.

My work uses telephone call back, MS Autherlnticator or registered email.
Those are in fact 3 MFA backups, although it appears that you access all 3 with your phone, good if that works for you.

Anyway, that approach does not help you when out and about if using a text based authentication method to a set number on a phone left at home.
Ah, but having multiple devices does help reduce the downtime, e.g. a laptop to get the code in an email as in your work example, maybe important if you are in a meeting with a client.

It is of course handy to use devices that you already have, as MFA backups. I even think that you already do that, e.g. you do your remote work on a laptop that you can also use as an MFA backup device. So, with your phone, I think that you already have (at least) 2 MFA devices.

Sure, not all sites work with all MFA devices, that's what this thread is all about.
 

My Computer

System One

  • OS
    Windows 10 Pro

cereberus

Well-known member
Power User
VIP
Local time
9:27 AM
Posts
1,669
OS
Windows 10 Pro + others in VHDs
Well, you did say

good that you clarified.


Those are in fact 3 MFA backups, although it appears that you access all 3 with your phone, good if that works for you.


Ah, but having multiple devices does help reduce the downtime, e.g. a laptop to get the code in an email as in your work example, maybe important if you are in a meeting with a client.

It is of course handy to use devices that you already have, as MFA backups. I even think that you already do that, e.g. you do your remote work on a laptop that you can also use as an MFA backup device. So, with your phone, I think that you already have (at least) 2 MFA devices.

Sure, not all sites work with all MFA devices, that's what this thread is all about.
My point is if the MFA relys on phone number, it assumes you always have access to that phone. This rather vontradicts your fishing scenario as you would not have that spare phone with you to normally use it with those apps when not at home.

This you would have to take the spare phone with you to use such apps when not ar home. If you did, you would just as likely lose it as your main phone anyway.

There is no credible scenariosI suppose you could use an app to remote access the spare phone, but then you are making things very complicated.

In any case, if you lose your main phone, you still have to go through hassle of getting a replacement SIM and possible a new handset. So there is no scenario where have a secondcphone helps you unless the spare phone is also configured like the main phone.

In simple terms - do not lose main phone, second phone is superfluous.
Lose phone, you still need to go hassle of replacing SIM to access second phone.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0

Quandary

Active member
Member
VIP
Local time
4:27 AM
Posts
182
OS
Windows 11
My point is if the MFA relys on phone number, it assumes you always have access to that phone. This rather vontradicts your fishing scenario as you would not have that spare phone with you to normally use it with those apps when not at home.

This you would have to take the spare phone with you to use such apps when not ar home. If you did, you would just as likely lose it as your main phone anyway.

There is no credible scenariosI suppose you could use an app to remote access the spare phone, but then you are making things very complicated.

In any case, if you lose your main phone, you still have to go through hassle of getting a replacement SIM and possible a new handset. So there is no scenario where have a secondcphone helps you unless the spare phone is also configured like the main phone.

In simple terms - do not lose main phone, second phone is superfluous.
Lose phone, you still need to go hassle of replacing SIM to access second phone.
That is not the complete situation.

Authy is setup and tied to my phone number, but I also have Authy installed on my Desktop that provides access to the MFA codes for my accounts. If the phone and SIM could not be replaced in reasonable time then the MFA linked accounts could then be deactivated using the code from the Desktop app, and then setup again with a different phone/number.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP / Spectre x360 Convertible 13
    CPU
    i5-8250U
    Motherboard
    83B9 56.50
    Memory
    8GB
    Graphics Card(s)
    Intel(R) UHD Graphics 620
    Sound Card
    Realtek High Definition Audio(SST)
    Screen Resolution
    1920 x 1080
    Hard Drives
    Toshiba 256GB SSD
    Internet Speed
    500Mbps
    Browser
    Firefox, Edge
    Antivirus
    Windows Defender

Haydon

Well-known member
Member
VIP
Thread Starter
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
Yeah, nimble and yet secure access to accounts can be more important than any devices that you have to replace.

I have been using a multiplicity of backup MFA devices that I already have (or have access to) for the 'nimble and yet secure access' thing, but Authy apparently achieves the same thing with software.

... and you can't say accidents shall not happen!
 

My Computer

System One

  • OS
    Windows 10 Pro

Bastet

Well-known member
Member
VIP
Local time
9:27 AM
Posts
199
Location
Manchester. UK.
OS
Windows 11 Pro 64bit
Most if not all MFA suggest to create backup codes so a user can access their accounts should they lose their phone.
Also if you use a phone & a tablet then you can install an authenticator app & the 2FA will still be available on the tablet if you lost the phone.
 

My Computer

System One

  • OS
    Windows 11 Pro 64bit
    Computer type
    Laptop
    Manufacturer/Model
    PC Specialist Optimus VII V17-960 Gaming Laptop.
    CPU
    6th Gen Intel Core i7-6700HQ Quad Core processor.
    Memory
    16GB HyperX IMPACT 1600MHz SODIMM DDR3 (2 x 8GB)
    Graphics Card(s)
    NVIDIA® GeForce® GTX 960M - 2.0GB DDR5 Video RAM - DirectX® 12
    Sound Card
    Intel 2 Channel High Def. Audio + SoundBlaster™ Cinema 2 & Realtek
    Monitor(s) Displays
    Optimus Series: 17.3" Matte Full HD IPS LED Widescreen (1920x1080)
    Screen Resolution
    Full HD IPS display (1920 x 1080).
    Hard Drives
    2TB SSD (internal).
    1x 1TB & 1x 5TB external HDDs.
    Cooling
    STANDARD THERMAL PASTE FOR SUFFICIENT COOLING
    Keyboard
    Logitech K800 wireless keyboard
    Mouse
    Logitech M705 wireless mouse
    Internet Speed
    Upto 100Mbps
    Browser
    Edge.
    Antivirus
    Windows Defender & MalwareBytes pro.

Haydon

Well-known member
Member
VIP
Thread Starter
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
Most if not all MFA suggest to create backup codes so a user can access their accounts should they lose their phone.
A word of caution about backup codes (that you can use only once)

I had quite a few lists each with about 3 or 4 backup codes stored in my password manager. And like everything else, I like to test things out once in a blue moon, but it happened that I corrupted a particular list (I usually recreate the entire list after using just one of the backup codes, but I must have messed up something) So I tried one backup code after the other and I got locked out of that particular site for a day :scream:

It's not the site's fault, but I gave up on backup codes altogether, because I decided that I am not meticulous enough in maintaining my lists of backup codes :(

Backup codes are a good and simple solution, though, provided you can be meticulous over the years (y)

Also if you use a phone & a tablet then you can install an authenticator app & the 2FA will still be available on the tablet if you lost the phone.
That's a good example for the title of this thread (y)(y)
 

My Computer

System One

  • OS
    Windows 10 Pro

Haydon

Well-known member
Member
VIP
Thread Starter
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
I think that there will be an excellent solution with W11 being able to run Android natively. Then you will have your work computer and your phone (2 devices and only 2 devices) both running the whole MFA gamut (SMS, authenticator app, email, voice, digital certificate, etc) to cover just about any site on the net.

If your work computer happens to be a tablet (like in the previous posting) then that and your phone can be the happy MFA couple. If you like running emulators on your work computer, then Android emulators will run on W10 and earlier. If you like utility apps, then Authy (like in a posting further up) will fit the bill.

I myself plan to move towards the streamlined approach of the first paragraph from my present hodge-podge of approaches to provide redundancy before the fact, wish me luck :cool:

I will mark this thread 'Solved', thanks (y)
 

My Computer

System One

  • OS
    Windows 10 Pro

Winuser

Well-known member
Pro User
VIP
Local time
4:27 AM
Posts
2,795
OS
Windows 11
Folks, your sites must have really lax MFA that can be easily bypassed with a new phone & sim card. Would that not defeat the purpose of MFA, since it would provide no more security beyond a mere password.

More secure, and hopefully more common, is to configure MFA on better sites with with pre-arranged ways to authenticate yourself. If one way fails, then you can authenticate yourself with at least one other way. That's the backups that I am talking about (and that I have used over the years for banks and other important sites)

Makes sense?

Edit: I was thinking of buying a phone with dual sim cards with an office # and a home #. If I go on my famous fishing trip and drop that famous phone in the famous lake, then I would be in double trouble. That's the impetus for this thread, having backups in different physical media that you don't jeopardize at the same time.
They send the code to the phone number you supply. It doesn't matter what phone it is as long as it has the same number.
So where is the problem?
 

My Computers

System One System Two

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec B746
    CPU
    Intel Core i7-10700K
    Motherboard
    ASRock Z490 Phantom Gaming 4/ax
    Memory
    16GB (8GB PC4-19200 DDR4 SDRAM x2)
    Graphics Card(s)
    NVIDIA GeForce GTX 1050 TI
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    Samsung SAM0A87 Samsung SAM0D32
    Screen Resolution
    1920 x 1080
    Hard Drives
    NVMe WDC WDS100T2B0C-00PXH0 1TB
    Samsung SSD 860 EVO 1TB
    PSU
    750 Watts (62.5A)
    Case
    PowerSpec/Lian Li ATX 205
    Keyboard
    Logitech K270
    Mouse
    Logitech M185
    Browser
    Microsoft Edge and Firefox
    Antivirus
    ESET Internet Security
  • Operating System
    Windows 11 Dev
    Computer type
    Laptop
    Manufacturer/Model
    HP Envy x360 15-ds1083cl
    CPU
    AMD Ryzen 7 4700U 2.0GHZ
    Memory
    16 MB DDR 4-2666
    Graphics card(s)
    AMD Radeon
    Monitor(s) Displays
    15.6"
    Screen Resolution
    1920x1080
    Hard Drives
    PCIe NVMe M.2 512GB
    Browser
    Firefox, Edge and Edge Canary
    Antivirus
    ESET Internet Security

cereberus

Well-known member
Power User
VIP
Local time
9:27 AM
Posts
1,669
OS
Windows 10 Pro + others in VHDs
They send the code to the phone number you supply. It doesn't matter what phone it is as long as it has the same number.
So where is the problem?
Yep, OP is flogging a dead horse totally ignoring many sites just only have one method i.e. send a code to a specified phone number.

OP has refused to acknowledge that if you use a second phone for authentication and need to use it to verify a code whilst out and about, you need access to it, it means you have to carry it with you if out and about, negating whole point of his initial post about losing phones..

Equally if at home, you do not need a second phone anyway as you wil not lose phone (temporarily mislay at best), but if you do, how can you run apps that need mfa anyway!.

I give up trying to explain to OP the flaws in their argument!!!
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0

Haydon

Well-known member
Member
VIP
Thread Starter
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
Well, besides myself, there are 2 people on this thread who value a backup device for MFA. If one MFA device fails, then the other MFA device can still be used to access the site and edit the MFA specifics for the site if needed.

The first person uses phone and pc as his MFA devices. The second person uses phone and tablet as his MFA devices. I myself presently use 4 MFA devices, because unfortunately not all my (important) sites work with all my devices (and I want to have at least 2 MFA devices to work for each site as per the first paragraph)

It does not matter if you don't value a backup device for MFA, just don't use it. Some people don't value data backup either :scream:

Edit: ALL better sites provide MFA backup, SMS to mobile PLUS at least one other medium, usually PC- or tablet-based (such as backup codes) but also landline voice, etc. A site without MFA backup is one to be avoided, IMHO.

One more example: one of my most secure sites use a digital certificate that I store in my password manager, so password and MFA are very conveniently stored in one secure place. Of course the site works with SMS to mobile too. And upon login, the site lets me select which one of the two MFAs (SMS from phone or certificate from computer) I want to use that day. The site has in fact a 3rd MFA that I don't use, but I certainly would not use that important site if it had only 1 MFA!
 
Last edited:

My Computer

System One

  • OS
    Windows 10 Pro

swerd

Member
Local time
6:27 PM
Posts
44
OS
Windows 11 Home
I have two Yubikey 5's. One I keep in a safe location and another in my wallet. I also carry on my phone copies of my QR codes for 2FA (in an encrypted 7-Zip file), and another copy on an encrypted USB stick.
 

My Computer

System One

  • OS
    Windows 11 Home

Haydon

Well-known member
Member
VIP
Thread Starter
Local time
4:27 AM
Posts
892
OS
Windows 10 Pro
Well, that makes 4 of us in this thread that value MFA backups. Of course, we all do the loss-of-access prevention in different ways and to different extents. Moreover, the sites themselves provide the loss-of-access prevention in different ways and to different extents.

This thread shows that there are hardware and software products on the market to deal with many combinations of permutations of MFA backups.

I don't want to annoy anyone, but I have always been in favor of doing prevention, MFA backups and otherwise. As my old doc said 'exercise is better than liposuction' :scream: (I am everything else but obese, but my old doc said that to everyone)
 

My Computer

System One

  • OS
    Windows 10 Pro
Top Bottom