Two-Factor Authentication Is Ruining My Life and It's All My Fault

Illustration for article titled Two-Factor Authentication Is Ruining My Life and It's All My Fault

Sorry if I missed any emails from you this past week. I've been doing all my work email from my phone. It's the only way I can see it, and it's all two-factor authentication's fault. Well, and also mine. Because I am an idiot. Don't make the same mistake I did.


Two-factor authentication is supposed to be keeping me safe by forcing me to answer my phone before I can login to my Google account. And it is! It is keeping me safe from me.

Yes I will print out those one-use backup codes later. I told myself. Maybe you've told yourself the same thing. I actually did it with my personal account, but with my Google Apps work email I just never got around to it. I also never got around to setting up any back-up phones or alternate verification methods. No texts or Google Authenticator action here. It's a phone call or nothing.

And therein lies the problem. I have two phones, and no number for either.

How I got there is a long story, but here's a summary: On Sunday I switched my service to a new, nano SIM card to give my Nexus 5 a break and try out a Moto X. But the Moto X is locked to AT&T (an unrelated dumb thing I could have avoided) and I am T-Mobile. And now my phone number is trapped on a SIM card I can't fit back into my old phone. Weeeeeee.

This is not a big problem in and of itself. I rarely call people. I rarely even text people. And there's no one who I can't just reach with an email or a Skype call. But my work email account—managed through Google—will not accept a Skype call or email for two-factor authentication.

So when Google asked me to refresh my credentials on Tuesday, and proceeded to call the number that I can't use, I was screwed. Not (just) because two-factor authentication is a pain in the ass, but because I never bothered to set up any alternates. Because I am an idiot.


It's worth mentioning I'm not really screwed. It would be worse if I lost my phone! I can still look at emails on either of my data-less devices if there's Wi-Fi around. I can loiter around an idling charter bus on 53rd street and leach off its Wi-Fi hotspot to send an email to Amazon confirming seats for its upcoming phone launch. NO BIGGIE. All told it's a pretty minor inconvenience but I swear to god it is ruining my life.

And it's not like I couldn't solve this problem other ways. I could wait in line at a crowded T-Mobile store and switch to another new SIM. I could borrow a coworker's iPhone for the express purpose of popping in my SIM and taking a single call. I could "Contact [my] domain IT administrator to reset your password or retrieve your username" like Google so calmly suggests when I yell at it and hammer on my keyboard.


But instead I'm just watching the tracking information for the SIM card adapter kit I ordered on Amazon (out for delivery!) and seeing how far I can push the limits of both my laziness and my frustration. And it all could have been avoided if I'd taken the extra five seconds to type a back-up phone number into my account. Or copied down just a single one-use backup code.


So please, learn from my mistake and save yourself. Don't wind up in these mildly uncomfortable shoes. Don't be an idiot. I'm told it's not that hard.

But I probably still won't write down a back-up code anyway.

Update: The SIM card adapter showed up and when I plugged it back in I had 17 voicemails from Google, each one just had the last number of a verification code and then "Goodbye."


I haven't set up any alternate verification methods yet but I swear I will do it later.



I've had a couple near-misses with authentication.

One (that's actually happened a few times): When you have it turned on and are activating a new phone, you get a text with a 6-digit code to log into your Google account - required to activate Android. However, UNTIL you've set up your account, you can't get in to the text message app! So you have to catch it AS THE TEXT SCROLLS PAST on the notification bar and hope you remember it.

Two: At one point, I really did get locked out. It was the weekend and although I have my backup codes printed.... somewhere... at the office, I really wasn't going to come in. Instead I had to answer a crazy number of weird Google backup questions (when did I get a Gmail account? I HAVE NO IDEA, BUT AT THE TIME I WAS LOOKING FORWARD TO A KERRY PRESIDENTIAL ADMINISTRATION; type in three labels in your Gmail, etc.). I narrowly, narrowly could prove my identity to Google.

It isn't fun and we need a better system. How about this? Place photo ID on desk, and lean over desk with camera, facing the front camera. Turn both cameras on. Verify the face in front of the phone is the face on the ID (bonus if it matches stored image on the server of the person), and the name on the ID is the name of the person. This is what humans do to verify identity. Is it hackable? Yes. Is it any less insane than the shit we put ourselves through to stay semi-SEMI-secure online these days? Not really.