> And how are you supposed to handle the 2FA for your Google account? I mean I have U2F tokens which remove that concern, but that is far from the typical case. If you have the 2FA for your Google account in the Google Authenticator, which is probably a very common case, how does this entire thing work then when you need it, which is when you lose your phone?
You open your safe and you use one of the recovery codes that you wrote down when you setup 2FA.
> You open your safe and you use one of the recovery codes that you wrote down when you setup 2FA.
HN rarely does humor, but when it does, it really cuts deep.
Can you really expect a typical person - including the tech-savvy ones - to keep a hastily written piece of paper for a decade or more, without losing it? My code card is clocking on a decade, I needed it only once (so far), and it's only pure luck that, in all those years, I haven't accidentally destroyed it or thrown it away.
Also: it only recently became apparent just how bad it is to lose access to your Google account. Most tech-savvy people I know don't even realize how many things in their lives are gated by that little login form. Non-tech-savvy folks? Maybe they'll figure it out in a decade, after enough people became thrust into poverty for the lack of Google 2FA recovery codes - enough many that it's as boring news story as car accidents.
Where do you keep your passport, if you have one? Your birth certificate? Any other important papers you have?
No, it's not reasonable to expect everyone to be well organized. Life can be chaotic. People lose stuff. We know this. Some people are so unfortunate as to lose all their stuff. Repeatedly. The level of organization people have varies extremely.
But I do expect there are hundreds of millions of typical people with houses and sufficient organization to hang onto to their important papers, and it's a good idea to add your backup codes to your other important papers. It's good advice, though not always applicable.
Absolutely. Primarily because a passport comes out of process mediated by multiple humans for whom that is their only responsibility. It's a matter of few hundred dollars and a couple weeks to replace it.
I don’t know about replacement but there are lots of delays currently for US passports:
> The processing time for routine applications is taking from 10 to 13 weeks up from six to nine weeks for those who applied before Feb. 6, the State Department said.
> Expedited processing, which costs $60 more, is taking seven to nine weeks, an increase from three to five weeks.
That's pretty absurd and definitely not how long it takes in all countries - but still probably quicker than recovering a Google account which you might not be able to do at all.
All those important papers have recovery processes. It might involve a judge or signing documents in front of stern officials or having friends and family vouch for you, but governments and financial institutions and telcos can do it because they have to. Because life happens, and we can't always control it. But for online services, with no responsibility of care, it is easier to just lose customers than provide robust processes and accept the responsibility of letting you prove who you are. You can be homeless and ID less and still bootstrap all the important stuff, except your email and all the things that require email for recovery.
This is pure speculation and not practical advice, but if you were trying to get in to your accounts from a 'starting from nothing' situation, I wonder if you could get a passport etc. and then make a GDPR request for your data from google?
Obviously you wouldn't be able to get in to your account to use google's built in tools because you wouldn't have access, but if you sent a letter to their legal team with proof of your identity then they would be obliged to process the request by law (as I understand it).
This might (should) get you your data but that data won't include your passwords which (presuming basic competence) Google doesn't store. This means that you are still locked out of many things. The data might also not be in a format useful to laymen and will probably be incomplete in some way, e.g. excluding data you had access to with that account but isn't your in Google's opinon data like shared documents.
Google would need to know that remus@gmail.com belonged to the person making the GDPR request, or it would be an attack vector. From the providers point of view, you are asking for a copy of your data and data about you, and they are not going to give out data that might be yours. Maybe if you had linked a phone number, but even that is arguable.
> Where do you keep your passport, if you have one?
Nearby, 'cause I travel semi-frequently. Otherwise, in one of few designated drawers. I only kind of care, because replacing it isn't hard, just annoying - and I don't need my passport to get a replacement one.
> Your birth certificate?
Wherever. I don't care. If I need it, I can file a form, pay a small amount, and get arbitrary number of copies from the local government branch.
> Any other important papers you have?
The only important paper I store safely is the booklet the military gave me when I turned 18, related to then obligatory military service (which I didn't go to because of minor health issues). I only worry about tracking it because I don't know the process to replace it, and the military is Serious Business - but then, I'm sure the process exists. Also, I don't worry much, because chances I'll actually need it for something are nil (if shit hits the fan so much that I'll get called into service, nobody will care about that booklet - they'll hear me speak fluent Polish, they'll give me a gun and send to the meat grinder).
Also, relevant: most of the important documents - like my national ID (replaced twice over the past few years), passport, contracts, etc. - have an expiry date on the order of 10 years or less. My Google 2FA codes already existed for more, and I expect them to be valid for the next 10 years too.
I do quite a lot of tech support for older people and would add that forgetting passwords isn't the only issue, an even larger issue is people not understanding passwords at a conceptual level.
Try as I might, my mother doesn't understand the difference between an iPad device PIN, an Apple ID (rarely needed), her email password on this same device (Google-based in this case) and add a few dozen more.
All she knows is the device in her hand. The abstract model we have where we separate device, service, app, web page, different companies...simply does not exist for her, it does not compute. So even if she'd have the discipline to write down things, it would still not work. She doesn't even grasp what part is asking for what.
There's a reason big consumer services like Google and Facebook have not enforced 2FA: a vast population will severely struggle understanding what the hell it is and what to do.
Even when you do enable 2FA on Google yourself, it runs in "soft mode". It doesn't ask for 2FA for previously trusted devices/locations. Surely for good reasons.
> All she knows is the device in her hand. The abstract model we have where we separate device, service, app, web page, different companies...simply does not exist for her, it does not compute. So even if she'd have the discipline to write down things, it would still not work. She doesn't even grasp what part is asking for what.
So passkeys would be very practical for her if I'm understanding you correctly.
This is why I don’t like when people outright dismiss SMS as suitable second factor. Yes, it has problems, but it also has a recovery mechanism that is accessible for ”ordinary peope”.
The best solution (for me) would be to connect the Google Account to my government issued identity and utilize the strong authentication provided by government for account recovery.
I've been joking about a need for "notary factor" for a long time. There's an existing, deep and distributed network of notaries public that could be reused for stronger authentication in the modern world. In classic banking if you had a recovery problem you could send certain types of notarized letters to get stuff done. It was slow: however long it took to prepare the letter, find a notary public to get it notarized, and then presumably snail mail it to its destination. But sometimes slow is better: if someone is trying to steal my account, if they need to get the right forms notarized and mailed to the right PO Box, there are many steps along the way where I can intercede or a notary public can interject ("I won't notarize this because my ethics do not allow it.") or presumably human recipient at a PO Box can reject the mail for any number of violations or failures of documentation.
I think it would be great if the recovery mechanism for "ordinary people" took about the same amount of time as a notarized letter. In that worst case where you are locked out of your account for a week or two it won't feel great, but it also helps you feel better that some jerk trying to steal your stuff can't do it any faster either.
There are all kinds of fun technical things that could be used to actually build interesting "notary factor" tools. I think tech companies mostly reject how cool it could be to build because they see "slow" as a "bug" rather than a "feature".
> "I won't notarize this because my ethics do not allow it."
I heard those words uttered at my bank one day, and I became furious. I'd been using, in good faith, a licensed notary at a shipping store, and it turns out he'd been notarizing any damn thing I wanted without regard for proper form.
I had been extremely naive about notary publics, and when I ran into one with ethics, it cast the sketchy dude into sharp contrast.
Thankfully I've had no legal repercussions due to the invalidity of illegally notarized documents in the past, and I haven't needed to notarize something in a while since then.
In France there's L'identité Numerique by the Post Office where they provide you a digital identity, verified in person by a post office employee which you can then use to authenticate to various services.
EU ID cards also come with biometrics and NFC included, so they can be used to prove your identity digitally (there was a concept in France for an app that reads the NFC, makes you take a video selfie to confirm it's the same person, and then uses that to securely verify your identity)
I agree with this so much. As someone who has had a fair share of notorial interactions, it's low hanging fruit that notaries are not being used to authenticate users.
It could even be a means of fighting spam/bots while maintainh anominity.
It could be suitable, within certain boundaries, but no, given that sim swapping just means bribing (or simply social engineering with a crude fake ID) a minimum wage worker at a mall store, anyone whose identity is worth more than $50 to steal should never even consider it.
For example, if it could only be initiated from a browser where you have successfully signed in on at least two different days, or from a residential IP where you were seen recently.
I would much rather see a mailed postcard, as the last-resort fallback to a TOTP. Better to be locked out of your account for 4 days waiting for the mail, than to be locked out of it indefinitely while the criminal has full access.
> my government issued identity and utilize the strong authentication provided by government for account recovery.
Yes, that seems so obvious and yet to my American ears it sounds almost like science fiction. People here unironically argue that a national ID card is the Mark of the Beast from the Bible.
> I would much rather see a mailed postcard, as the last-resort fallback to a TOTP. Better to be locked out of your account for 4 days waiting for the mail, than to be locked out of it indefinitely while the criminal has full access.
The homeless can receive mail. General Delivery, mail addressed to them care-of some charity organization or shelter, any family or friend.
Mail forwarding is a thing for those who move, although TBH it would be prudent to use the "Do not forward" option on this, as mail forwarding itself is prone to fraudulent usage.
I guess if you've moved, you would need to mail them proof that you lived at the old address and that you live at the new address. I had to do that to claim unclaimed property with the state -- I had to send them some old bills or legal documents showing the old and new addresses.
SMS as a second factor is not bad - it has problems, but those shouldn't make the security worse than no second factor and strictly higher in most situations. The problem is that giving a company your number risks them letting an impostor use it as the only factor or in combination with useless "secrets" like publicly available personal data. This has happened often enough that you have to assume adding a phone number to your account makes it less secure.
> Can you really expect a typical person - including the tech-savvy ones - to keep a hastily written piece of paper for a decade or more, without losing it?
Personally, I keep these in my password manager. My password manager is offline-only, and the database is regularly backed up, so this makes sense for me.
What you're describing already happened. When Google turned on 2FA for everyone, every librarian in the country was inundated by homeless people and old people who had just been summarily evicted from the Internet.
You have that thumb drive backed up? Because thumb drives can, occasionally, spontaneously fail, for no apparent reason whatsoever, and the fire-proof box isn't going to help (hell, it may make matters worse if futzing with it generates ESDs).
Also: where do you keep the encryption key for that thumb drive?
Sure, but you should know that OpenAI disputes the translation of the moto hieroglyph, and they use it to mean "UFO" which is against policy and therefore not allowed in your password.
Any user that didn't pay attention when they were loudly and clearly told "SAVE THESE CODES OR YOU MAY LOSE YOUR ACCOUNT" probably doesn't actually care about their account that much.
Or maybe, when they're first setting this up, excited about the new thing in their life that is their first smartphone or something, they don't realize yet that couple years down the line, half the things in their life will be gated by the Google account login form.
When first set up, the Google account really isn't something to care about. It only over time, and you getting used to all the conveniences it offers, that it slowly but surely becomes important.
Uhm, really? Company punts on how to actually secure it by saying "store in a safe place" so now it's all on the user? Aren't we back to writing your long, complex PW on a post-it note then, with the extra step of "lock up your post it!"?
> Company punts on how to actually secure it by saying "store in a safe place" so now it's all on the user?
Yes, it's on the user, who else would be responsible for that? A Google employee isn't gonna go to your house to install a safe for you so you can store it securely. You can argue all day that the average person often can't be trusted with these things but I fail to see how this is anyone's problem except their own, at some point we need to stop treating adults like babies that need their hands held through everything and let them learn that their decisions have consequences.
99% of people don't need that kind of security any way, just keep a piece of paper with the codes somewhere hidden that you can remember, you don't need to have access to them all the time unlike a normal password.
> at some point we need to stop treating adults like babies that need their hands held through everything and let them learn that their decisions have consequences.
Never underestimate the massive market advantage gained from treating adults like babies and handling all manner of frustrations for them.
UX researchers would call that "A good user experience."
I much prefer this approach (and can take responsibility because I feel perfectly empowered to make as many copies and backups of my recovery keys as I need to make it effectively impossible for me to ever be locked out), but this whole thing points to how giving people the security they claim they want is at odds with their convenience at every touchpoint. I have repeatedly refused a family member's request to set a front door access code that is any family member's birthdate, a very common habit because that's the kind of thing people want to use.
I continue to believe that security for nontechnical users is not a solved problem. WebAuthN or whatever may someday help solve this puzzle, but only if someone packages it in a way that is so frictionless that it's easier than just using your birthday and initials as your password for every account like my dad did. And if the recovery story for the "All my electronic devices fell into a lake" situation is something less exploitable than the pathetic SMS. I'm thinking notarized letter as someone else pointed out.
Can't really blame the user when every (software) license agreement they have to click on also has more than 50% all caps. It's a form of fatique.
Even as a technician i stopped caring about all caps and the license agreement. It boils down to two choices "You want to use this? Click yes and agree on things you don't understand" or not use it at all.
Yes. I'm not taking about a safe like you can see in the movies. Just a locked box.
> Where I'm from, we generally don't use safes.
That's on you.
> Do you consider your safe to be... safe? I'd imagine it to be relatively easy to get into, by picking the lock or sawing through the safe.
That's not the point. 2FA is about thwarting password leaks. If someone has physical access to my house and knows my passwords, I'm screwed, yes.
But since I don't live in a Jason Bourne movie, my threat model isn't a ninja who steals my passwords then comes into my house to hack my tiktok account. My threat model is breaking my phone and knowing that my backup passwords are in a minimally safe place where I expect them to be and weren't carelessly thrown away with old documents; and deter casual "attackers" like a niece who could be inclined to plunder my papers for coloring material.
And if I did live in a Jason Bourne movie, I'd expect the ninja to just beat me up when I get home and unlock my safe for him, assuming I had bought an unbreakable safe.
> And if I did live in a Jason Bourne movie, I'd expect the ninja to just beat me up when I get home and unlock my safe for him, assuming I had bought an unbreakable safe.
Here I was thinking you might blow him up with the toaster. Or crash him into a garbage truck after an extenuated car chase.
We live in the era of smart toasters. You'll need to use your 2FA tool before you can blow someone up with it, which kind of defeats the point when chased by a ninja that's after your 2FA tool.
In some places the general level of trust is so high that things like theft simply does not happen.
Yes there's a possibility one might lose valuable stuff not kept in safes. There's also the possibility of loosing the keys (or forgetting the combination) of the safe.
And lastly, wouldn't it be so badass ironic if the safe sent a code to your email for verification? :D
I mean, you should have a safe for a million reasons. Mine was bought from Groupon for $50 and wouldn't even keep out a determined teen if they didn't mind the intrusion being detected.
It just gives you a single location in your house which you know nobody could accidentally open up and misplace the contents. It's where our passports and other foundational government documents, ATM cards, and yes, 2FA materials go. When you keep that kind of stuff in say, a desk or nightstand drawer, it's vulnerable to the 'oh crap, we cleaned out that drawer' attack, where you or your family members toss that stuff inadvertently.
It sounds like you're choosing to interpret "safe" far too narrowly. I understand for opsec you likely don't want to share the specifics, but if you have "all the benefits" of my safe, good for you, sounds like you've got a safe:
* Single location for things you've only got one of, or which are super valuable and small
* Not somewhere that a burglar would just immediately check (rules out places like "nightstand drawer")
It sounds like you're just bragging that you've saved $50 by not having a true lock on your thing. I'm guessing you're pretty sure you've hidden it so well that a lock isn't worth "bothering with." Good for you! Enjoy your safe regardless.
The main purpose of a home "safe" is fire protection. If my house burns down, the contents of my safe should be fine. Obviously a sufficiently motivated adversary can get in. But that (usually) isn't something I am worried about. Most internet hackers do not physically break into houses and open safes.
Yeah, we actually keep the key in the lock in ours. If someone gets in and really wants to steal it (note to potential thieves: there isn't anything worth your while), they could just carry the whole safe with them. It's only for preserving important documents in case of fire.
Many safes allow for securing to the floor, making porting it away require a bit more effort, possibly including power tools which are quite loud. Also they're quite heavy usually.
I remember as a child someone broke into our house while we were away to steal stuff. The safe wasn't bolted down, and they carried it from one end of the house to the other before giving up, either because they got spooked by something and bolted or because it was just too damn heavy.
Think about the logistics of it. If they're stealing a safe, that probably requires a vehicle. A vehicle is more identifiable and unless stolen makes it easier to track people if noticed or recorded. If stolen, there's a chance it will cause a problem immediately before, during or after the crime. If they don't use a vehicle, all the benefits of not using one, such as being able to take non-road paths and blend into crowds are negated. And if they choose to crack the safe on location, that adds time to the crime while doing so, and all time spent at the location of the crime increases the chance they'll be caught because someone notes something suspicious.
Like a lock on a house a safe within a house serves it's purpose not by making it impossible to gain access but by making it much more troublesome and likely to be noticed, changing the risk to reward ratio.
The house next door to me caught fire. By the time I saw the flames from my window and ran out the door, the fire truck was already preparing to douse the flames. Yes, I am lucky to live in an area with fast responses; no, not everyone is so lucky, yadda yadda yadda. But safes help. So do fire extinguishers. Get one for every floor in your house.
30-60 minutes is a very long time, do fire departments normally take that long to start dumping water on the house? Some site says "NFPA Standard 1710 establishes a 320 second or 5 minutes and 20 seconds 'response time' goal for not less than 90% of these type incidents."
A safe is extremely safe against hackers on the other side of the world. Quite safe against more local threats without special equipment and time on their hands.
I'd recommend obfuscating the codes in the event that you lose your wallet. You don't want a bad actor to find it and realise they can gain control of your account though they'd need to figure out your email first.
They need to figure out your email and password from your wallet contents, which is improbable. Anyone who takes your wallet just wants the cash and credit cards - and they toss the rest.
You can also buy a few cheap RFID stickers that can be overwritten from your phone. The cheapest stores like a kilobyte or so, which is plenty for quite a few codes.
You can glue them in inconspicuous "boring" places in plain sight, like under a mousepad or behind a movie poster hung on the wall.
Great way to hide secrets in your home without owning a traditional safe (which just screams "steal me! I'm the valuable thing in the room!" anyway.)
I keep all the backup codes in my wallet, next to the $5000 in small bills.
/s
My backup codes are filed in an expando-file. There are far too many to cram into a wallet. Also, if I'm carrying them around with me when I don't need them, my risk/threat model now includes loss and theft of wallet. That's ridiculous and unnecessary.
Why would you label your backup codes as to what they go to? Of course that's silly. But if someone does get your wallet they still need to know the website they are for as well as your login and password. It is low risk.
Or just ignore the backup codes altogether. We mostly have "fake 2fa" - where you can reset your 2fa auth if you lose your device because otherwise customer support would be impossible. Almost every service allows this.
I don't understand this. Many backup code lists do print with very limited or no information on the account they match. But what is the need for this cloak and dagger? A backup code is only one piece of the puzzle and can easily be stored securely, "secreted away" if you will.
If I don't label my backup codes with account information, how do I know which code to enter when recovering an account? Trial and error across 20-30 scraps of paper?
When I was younger, I was run over by a car. The stuff I had been carrying was left at the scene and later blown away (or picked up by a street sweeper). Back then, textbooks cost less than rent payments. But I did have to do that homework all over again.
Relative to a naively imagined abstraction of a safe, perhaps.
A decent home safe can be reasonable protection against that loose scrap of paper with backup codes ending up in the trash can and may even keep it legible in the event of a house fire. But it is true, it won't be much help if you are targeted by safe crackers.
Most decent safes are not trivial to pick, often using circular keys instead of the flat ones requiring a different type of pick. Newer safes don't even have keyholes but require that you actually know the combination.
As for drilling or sawing through it, that's going to take hours to do.
> As for drilling or sawing through it, that's going to take hours to do.
This is true for expensive commercial safes, but not for home safes. You can drill/saw through them relatively quickly. What you can't do is drill/saw through them without making a whole lot of noise.
You open your safe and you use one of the recovery codes that you wrote down when you setup 2FA.