Accessing Apps When You Don’t Have Your 2FA Authenticator - Using 2FA Backup Codes

I recently realized that not everyone knows about app-generated, copy/paste 2FA backup codes.

I was posting about sharing 2FA codes with team members in my FBGroup and an inquiry came up asking what these wee bits of magical security are (the inquirer didn’t call them “wee bits of magical security”, that’s all me). I couldn’t find a good article to reply with about them that wasn’t app-specific.

So I decided a quick overview - right here, right now - was in order.

When you implement 2FA on your apps - you have 2FA on them all, right - they churn out a dozen or so codes and tell you to copy them and put them somewhere that can be securely accessed. Not everyone does as they are told (my enthusiastic dog doesn’t for sure) and they almost never implement a process and secure, shareable place for these codes.

But everyone should do this!

“Why, Kellie? We use an authenticator to generate codes whenever we log into our apps.” Well because, friend, your authenticator can be offline (apps do go down…), you may have lost, damaged, left elsewhere the device that your authenticator is on or you may need someone else to be able to access your 2FA’d apps. Or maybe, just maybe, your phone is a rabbit hole that you should not pick up while working!

Of note: Some authenticators do not sync the ability to have your in-the-moment codes go to a new device if your phone goes astray. You have to start the whole process of re-authorizing your apps to a new device. One… at… a… time…

I have recently started using Authy* for my authenticator so I can share codes with my team member, Marissa. It is available over multiple devices so the pain of sharing (in not-so-real-time - I’m a morning person she’s a night owl) 2FA codes could be more seamless. There are a few issues even with a multi-device authentication process though.

• 2 are the same as with a single device authenticator

  • Authy could go down

  • One of us may not have our phone available

• Some apps are not “on” Authy

This is where the originally generated copy/save backup codes come into play.

If you have a process and place for these codes you can still access your 2FA’d apps no sweat.

I store mine in my practice management app, Financial Cents. It has a “Client Vault” feature where you can securely store login details. I use it for all kinds of reasons including but not limited to clients’ vendor logins (grabbing bills for vendors that don’t fetch can be a value-add service) and read-only bank access. I created a “client” for this and that is where the codes are stored and can be accessed across the team. The process includes deleting codes as they are used.

Previous to Financial Cents I kept them in QBO notes. You could also create a doc or spreadsheet of course.

I shouldn’t need to mention this but here goes - don’t name it “Authenticator or 2FA Backup Codes” or some such no matter how restricted the access is.

#SorryNotSorry to those of you who would never do this. If I save even a single one of you from a poor naming convention security choice I will have accomplished something with this post.

I have mentioned redundancy for the sake of redundancy many times. I’m a regular harpy on it. This is another fine example of where multi-location data storage comes into play. Yes, there are apps for authenticating across multiple devices, accessible by multiple people but for crying out loud do not be dependant on any single app or process to be able to get shit done when you need to it.

Join Your Peers Here

If you are a member of Rootworks you should join Gavin Cutler of Rewind and me this week, discussing how Rewind Backups for QuickBooks Online bring data security to cloud-based accounting.

• December 10, 2021 2:00 - 3:00 EDT

What’s Cooking?

Roasted Red Pepper Dip is a super quick, yummy thing! And it is a great base for many other super quick, yummy things..

Here’s how to make it and then how to re-purpose it.

• Drain a jar of roasted peppers, ideally the kind with garlic in it and dump into a mixing bowl or a small food processor

  • I roast red peppers with garlic myself and keep in the freezer so that’s an option too

• Add in salt, pepper, a half of a small can of tomato paste and softened cream cheese (I like a few chilli flakes in mine too)

  • I freeze the unused half of tomato paste in a snack sized zippy

• Add in basil - fresh,dried, frozen - any option is good

• Immersion or processor blend until smooth

• Add more cream cheese if it is not “bread consistency”

It’s great as an appie or snack with crunchy bread, warm or cold

• Sharp cheddar goes well on the bread with this too

Loosen it with either (or both) stock and cream, add more basil and salt, immersion blend to make a sauce for noodles.

Heat a can or fresh or frozen diced tomatoes, add the red pepper dip and cream, immersion blend to make a soup. You may want to add more basil and salt to this one too.

Buon appetito

::Shameless Call To Action::

Since this blog speaks to best practices and processes I’m going with a 25% discount code on my Standard Operating Process Guides.

Code: SOP

Get you and your team on the path to consistent, next level bookkeeping.

• These are for cloud bookkeeping - apps include QBO, Dext, Hubdoc, Plooto and Rewind

  • You can easily sub apps for your stack

• There are full cycle and cash coding versions, Canadian and International versions

• They include SOPS for effectiveness in your Chrome browser, app next level efficiency and overall practices

  • And how to’s on the things people don’t do properly, or don’t do at all, cause they don’t know how to - stale dated payments, returned payments, zero sum sales receipts, QBO tax code wrangling…

* Any app name ending in “ly” name rankles me. Anyone else find it just too cutesy?