Backup 2fa Codes

[Joslyn Moreci]

Inaddition to your password, Login.gov requires that you set up at least one authentication method to keep your account secure. This is multifactor authentication (MFA). We use MFA as an added layer of protection to secure your information.

Security

Although you can choose from several authentication options, some authentication methods such as face or touch unlock, security keys, and PIV/CAC cards are more secure against phishing and theft.

Assuming your credential is only saved to your device, you must always use the same device and browser to authenticate with Login.gov using face or touch unlock. If your credential is saved to the cloud, you will be able to authenticate using face or touch unlock across multiple devices.

We strongly recommend you add a second authentication method in case you change or lose your device. If you lose access to your only authentication method, you will need to delete your account and create a new one.

Authentication applications are downloaded to your device and generate secure, six-digit codes you use to sign in to your accounts. While authentication applications are not protected if your device is lost or stolen, this method offers more security than phone calls or text messaging against phishing, hacking, or interception.

Using a security key is more secure than relying on your phone because it has built-in protections against hacking and phishing attacks. Login.gov requires security keys that meet the FIDO (Fast Identity Online) standards.

If you choose to use this less secure option, enter a phone number at which you can receive phone calls or text messages. If you only have a landline, you must receive your one-time code by phone call. Login.gov cannot send one-time codes to extensions or voicemails.

Backup codes are an accessible option for users who do not have access to a phone. However, backup codes are the least secure option for two-factor authentication. Backup codes must be printed or written down which makes them more vulnerable to theft and phishing.

If you select this less secure option, Login.gov will generate a set of ten codes. After you sign in with your username and password, you will be prompted for a code. Each code may be used only once. When the tenth code has been used you will be prompted to download a new list. Treat your recovery codes with the same level of care as you would your password.

Physical PIV (personal identity verification) cards or CACs (common access cards) are secure options for federal government employees and military personnel. These cards, with encrypted chip technology, are resistant to phishing and difficult to hack if stolen.

Warning: Setting up your account with backup codes as your only authentication method is not recommended. If you ever lose your backup codes, you will not be able to sign in to your account.

Note that when using a USB flash drive, we strongly recommend that you keep one dedicated to backup codes for Stripe and other websites and only ever plugged it in to add or read a new code. This makes it more difficult for malware to read the credentials.

I have a problem. Today I set up my nextCloud and wanted to activate a two-factor authentication directly.

I logged in as admin and activated the two-factor authentication. As I thought that you have to configure the two-factor authentication first, I logged out directly. Of course, I did not save the backup code.

Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method.

Hello @PayPal_JonK - I have additional question to this topic then - considering that 2FA's purpose is adding another level to the basic login credentials, how does PayPal prevent a scenario when my login credentials are already leaked (not the core of my question) and the one who happens to get my leaked credentials call PayPal Customer Support to disable the 2FA? How would Customer Support confirm the identity of the caller?

I think the common practice of services providing a limited number of static backup codes for cases of losing the device with the code generating app (they usually have more digits) when activating 2FA is useful because it's still another level of security. While calling a customer support to just turn the 2FA off seems like the weakest link of the security to me, making the whole system actually not that secure. Is that not so?

Backup Codes are a common backup plan for authenticator app and are used by many major industry and security leaders in that industry. The also help prevent social engineering tactics used more and more often every day, and would be employed were I need to call, as you suggested. Please provide this feature. Having my phone number as a secondary 2-step authentication almost causes more vulnerabilities than it prevents, as it has been shown to be very vulnerable to man in the middle attacks.

You obviously don't understand what backup codes codes are and how they work. Also it is extremely worrisome that one can bypass 2FA by speaking to Customer Support. It means that with some amount of social engineering, one can break into a 2FA protected PayPal account.

So here is how the rest of the industry manages this: you are given a set of one-time authentification codes that you need to store securely. Each of them can be used as a 2FA key, but only once. This allows you to log into your account should you lose your authenticator device.

[quote]Thanks for reaching out! PayPal wouldn't necessarily offer any kind of backup codes since a new one is generated every 30 seconds. If you were to lose your phone / authenticator, you would need to reach out to our Customer Support to disable that 2FA method. [/quote]

That's not what backup codes are. Backup codes are a series of one-time codes that you give a user when he/she registers 2FA, and that allow connection in place of the authenticator, and allows you to disable/re-enable 2FA on another device (which is massively useful if you lost your phone and no longer have access to the Auth. App).

I felt the need to join the Paypal community site just to chime in on this. It's crazy that this standard mechanism is unavailable, and crazier still that over a year later the only response "from Paypal" is an entirely pointless response from a moderator who didn't understand the question.

This really isn't good enough, especially when the "backup" is apparently to call and get support to disable it... at least tell us how you believe this to be secure? There is no piece of information that a dedicated intruder couldn't procure to offer as "proof" of my identity, that is the entire problem that 2FA is supposed to avoid. Getting it disabled should be absolutely a total last resort, and require something close to being truly infallible. Do you replicate the setup by sending a small payment to my bank account with a code attached to it? Keeping my financial accounts secure is (as you'd expect) very important to me, I really would like clarity on Paypal's security mechanisms.

If for example, you have an account (say GMail) that you've protected with GA-based 2FA, then you could generate backup codes for GMail, from GMail Account Management / Security menus. Since the backup codes need to be recognized by GMail, they are generated in GMail - not GA.

Edit: To backup all the accounts you have on GA, you need to backup the "App-specific secret" (usually a long hex string; or a QR Code that has the string) for each account/app. AFAIK, GA doesn't use online storage to backup your GA-enabled accounts.

I agree with you that the "philosophy" behind Google Authenticator's "only one device" is profoundly broken, because in as much as it tries to avoid "copying" the keys, it exposes you to the risk of a broken device. Electronic devices can fail. You need a backup. Happily, Google Authenticator's keys can be extracted: -authenticator-databases-move-copy-fix.html

If you had installed custom ROM then you can get file by going into file manager\twrp\data\com.google.android.authenticaitr2\database\database file and copy that file and save it some where else or on desktop. Now open that downloaded software DB BROWSER FOR SQLITE.

Note: If your account has SMS text message two-factor authentication turned on (and when it is the only two-factor option turned on) and you're still logged in, you can remove your phone from your Mobile settings on X.com. Click Delete my phone and two-factor authentication will be automatically turned off for your account.

A backup code is automatically generated for you when you turn on two-factor authentication through your iOS or Android X app. You can also generate a backup code on twitter.com. Write down, print or take a screenshot of this backup code. In the event that you lose your mobile device or change your phone number, you can use this backup code to log in to your account. Backup codes are not the same as temporary passwords.

Note: You can generate up to five active backup codes at any given time. Be sure to use the codes in the order in which you generated them; using a code out of order will invalidate all previously generated codes.

All of them are great, in case I lost my phone, which the offline, time changing 2FA codes gets lost of my possesion, I can still have these Backup codes, that I can print or store to get back to my accounts on Reset Password / Recover Account process.

For now the only way to recover your account with 2FA is recovering it with an SMS phone number too. That means requiring 2FA + SMS verification present. Is this true? I also wanna remove my phone number too, for maximum security against SMS hijacking, or in case I get my phone lost too.

3a8082e126