“953905 is your one-time password. Do not share it with anyone.”
If you’ve ever received a text message like this from your bank, your cable company or Amazon, you’re using two-factor authentication to secure your online accounts. Nice job.
If you’ve never seen one of these before, however, that’s worth fixing. Beyond using good passwords from the get-go, using two-factor authentication — or 2FA — is one of the best ways to make sure your accounts don’t fall into the wrong hands. Think of it as an extra layer of security, one that forces you to prove your identity by sending a code to a device only the real deal would have access to. Frequently, that means our phones. And take it from me: Forgetting to set it up can be costly.
Two years ago, someone gained access to my Airbnb account and managed to book three different stays in Wroclaw, Poland, for the same four-day stretch in early August. Total cost to me: $863.70, all for a trip I had never wanted to take. (That said, Wroclaw does sound like a nice place to spend some time.)
Airbnb eventually sorted everything out, but nothing would’ve needed sorting at all if I had turned on 2FA in the first place. That way, the hacker(s) would’ve needed a special code sent to my phone before they could even think about getting into my account. Even so, 2FA still comes with a catch: Because many of us use our phones to verify our identities, we can too easily find ourselves scrambling when something happens to those devices.
“I use [2FA] for several important websites, including access to banking and other financial needs so my phone has become more important all the time,” reader Hobe Darbyshire wrote in an email to the Help Desk. “What happens if I lose my phone or it gets stolen?”
In situations like these, it can be hard not to think of the worst-case scenarios. Our advice? If you find yourself facing this problem, take a deep breath and work through the following steps.
Lots of companies and services try to verify your identity via codes sent to you in text messages or in phone calls. (In my experience, this is especially true of banks.) That means regaining control of your phone number is crucial.
If you’ve lost track of your phone and are fairly sure you’re not getting it back anytime soon, your first step should be to contact your wireless carrier. Calling a customer service line is a good start, but if you can, we recommend going directly to a carrier store for more immediate help.
Once you have someone to help you, work with them to figure out the best way to get your phone number back. This can happen a few ways: If you’ve been paying for insurance, they can transfer your service to an older phone until you can sort out a more permanent replacement. Or maybe they’ll activate a new SIM card — the tiny chip tied to your phone number — so you can slip it into an older phone you have lying around.
If you’re fast enough, that should mean whoever has your phone won’t be able to receive incoming calls and messages meant to verify log-in attempts.
Some services allow you to create “backup” codes in case you lose access to your phone. Think of these as powerful last resorts: They’re generally designed to bypass other security methods and grant access to your accounts and information if your phone gets lost or stolen.
That said, these are not passwords. The services that offer these codes tend to give you a bunch (usually 10) at once, and each code can be used to unlock your account only once. (In other words, protect these codes as best you can.)
The downside? Broadly speaking, backup codes are pretty uncommon. Companies like Google and Twitter allow you to create them once you’ve set up two-factor authentication, and the government will let you do the same if you ever have to use Login.gov. Unfortunately, single-use backup codes seem less common among banks, which is usually one of the first things people fret about when their accounts are at risk.
Sometimes, services will try verifying your identity by sending a code in an email to an address they have on file. That can be convenient if your phone goes missing, since you probably won’t have too much trouble reading an email in a Web browser. But if someone managed to grab your phone while it’s still unlocked, those emails might be visible to them too.
If that lost device is a smartphone, there’s a quick way to prevent anyone from prying: Lock it down when you notice it’s missing. That will force whoever has your phone to punch in whatever PIN code or password you’ve already set up before they can access any of your data. Here’s how to do it.
For an Android phone
For an iPhone
Once you get into these specific settings for your smartphone, you’re also given access to the nuclear option: remotely erasing your phone entirely so there are no juicy accounts and saved passwords for anyone to even pry into.
For Android phones, follow the steps above and click “Erase Device” instead of “Secure Device.” For iPhones, follow those same steps and click “Erase iPhone” instead of “Lost Mode.” No matter which phone you use, you’ll be asked to confirm your choice one last time before the remote wipe begins.
People tend to think about this option differently — some people like to erase their phones the moment they go missing, while others think of it purely as a last resort. Our advice: The moment you’re fairly sure your phone won’t make it back to you soon is the moment to really consider erasing it.
Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.
Go deeper: Tech in Your Life | Tech at Work | Your Data and Privacy | Internet Access | What’s New | Ethical Issues
Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android
Ask a question: Send the Help Desk your personal technology questions.
News•
News•
News•
