Be Careful With Google Backup Codes

I use two-factor authentication. It’s a lot more secure but it’s also a little scary if something happens to your phone. Because of that, I set up backup codes and downloaded a set of ten (you can only get 10 at a time). When it works, it’s nice – you click Try another way and enter the one-time-use code from the stash of ten instead of having a code texted to you.

What Google doesn’t tell you is, if you turn two-factor off and then back on, the backup code setup goes away. It’s not just that the codes you downloaded are invalid, it’s as if you never set up to use backup codes(1). You have to go into your security settings, select two-factor authentication, set up to use backup codes again, and generate new codes. I did not know this. I searched for documentation (“help” files are the only documentation) and I didn’t find it anywhere(2).

An analogy:

My car uses two-factor to start. It has a smart fob – detecting the fob and pressing the Start button starts the car. If the fob battery goes dead and I use the key, the car doesn’t forget how to start normally when I put a new battery in the fob.

I tested before a trip and tried to use a backup code. I didn’t see the backup codes option under Try another way, got frustrated, and pasted the backup code into the field where you normally enter the texted code. It recognized that it was an 8-digit backup code rather than a 6-digit text code and told me to go to Try another way(3). Nice infinite loop there.

When I got in using a texted code, I set up backup codes again and downloaded a new set. I logged out, cleared everything, and closed the browser. When I got back in using a backup code, the email notifying me that a backup code was used told me I had ten codes remaining. I had just used one of the ten one-time-use codes to log in which generated the email notification(4).

    The takeaway

  1. There’s no polite way to put it – the code dealing with the use-case of 2-factor on-off-on is lazy and sloppy. Everything, from your microwave to your TV, remembers a functions settings even if the function is turned off and then back on. If I set my camera’s LCD back light to 3 and turn it off, it’s at 3 when I turn it on.
  2. The documentation is incomplete. In this case, incomplete=inaccurate. The program behaves in a way that is not documented and is counter-intuitive.
  3. The dialog you get if you paste a backup code into the text code field instructs you to do something that does not work. I’m all for re-using code but dialogs need to be tailored to the actual state. A quick check (the program already has the account information) of the state of backup codes could generate a meaningful message without compromising security: If (backup code set up) then (tell the user to use Try another way) else (tell them to use an available option).
  4. This is toddlers using Logo level programming. Seriously: x=10; x=x-1; email x.

Rod Serling voice: Picture this. A man on a deserted island has almost no power left in a satellite phone. Does he gamble on a phone number he’s not sure he remembers correctly or does he try to email to an address he knows is correct? The last time he emailed, it told him he had one code remaining so he tries email. No, he had no codes remaining. His email fails. He dies.

I haven’t tried it but I think the on-off-on scenario might also break the code generation app. It would depend on whether the app generates 6-digit codes like the ones you receive as a text or 8-digit backup codes.

This isn’t saying much, but Apple is worse. It doesn’t tell you while you’re setting it up but Apple’s 2-factor is a one way street. From the Apple support page:

Can I turn off two-factor authentication after I’ve turned it on?

If you already use two-factor authentication, you can no longer turn it off. Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information. If you recently updated your account, you can unenroll for two weeks. Just open your enrollment confirmation email and click the link to return to your previous security settings. Keep in mind, this makes your account less secure and means that you can’t use features that require higher security.