S&*!t! I’m Locked Out By Google Authenticator and I Can’t Get In!


Get Shift Done: Tips and Tricks

It’s great to depend on Google’s authentication system to confirm your identity on an online application’s website — until it doesn’t work. If you’ve ever been locked out of your own life, here’s how to work around that conundrum.

The authentication process is a little hard to explain, so let me give you an example to show why it matters. Let’s say your old cell phone died and you bought a replacement. After you restore all your apps and your contacts, you are ready to return to your normal routine. You sit down at your computer, and go to log into your Dropbox account. Because you previously enabled two-factor authentication using Google Authenticator, Dropbox prompts you to open the Google Authentication app (available for both Android and iPhone users) on your phone and enter the code it shows you.

Whoops! Although the Google Authenticator app was restored to your new phone, the settings were not — and now you can’t log into your Dropbox account.

To understand the nature of the problem — and the solution that just quit working — let me explain what 2FA is and why the applications you depend on use it.

What’s This Authentication Stuff, and Why Should I Care?

Basically, two-factor (2FA) is a common practice to guard against password theft. By insisting that you use two ways to say, “Really, it’s me!” the web application provides the equivalent of adding a dead bolt to your front door. Even if a thief steals your account password, he also needs the 2FA — an additional bit of information — to gain access.

There are several ways for security experts to implement 2FA on a website, and you probably have encountered most of them. For example, you may be asked to choose a picture that is displayed every time you log in, which reassures you that you reached the correct website and not a phishing site. Other websites send a code in a text message that you must enter to proceed. The downside is that text messages are easily hacked; nonetheless it’s a common type of 2FA.

The most secure 2FA is considered to be a token-based authentication. One of the earliest token based authenticators was designed by RSA Security; it consisted of a keychain fob with an LCD screen that displayed a code that changed every 10 seconds.

Which leads us to Google Authenticator, an app that provides token-based 2FA to website developers which uses Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP) using algorithms specified in RFC 6238 and RFC 4226.

Here’s how it works. When you create an account with an online application that uses Google for its authentication — let’s pretend it is the ABM File Service — you are prompted to create a passcode or other token to say, “Yup, that’s me!” The ABM File Service displays a QR code that you scan into the Google Authenticator app. The Google Authenticator app uses the information embedded in the QR code to generate the token that, when you visit the website later, permits you to log in.

As you saw in the example, each website that uses the Google Authenticator app for 2FA needs to be configured on your phone — and this is how you could be locked out of one of your accounts. It’s like you left the key to your house in your other set of pants, and then you gave that other set of pants to Goodwill.

The problem is: The Google Authenticator does not have a method to create a backup of the sites you set up in the app. When you get a new phone, you need to set up each site in the app again. Unfortunately, if you don’t have access to your old phone, you don’t have any way of logging into the site to generate the QR code that is needed.

Although I used Dropbox in the original scenario, it could easily have been your Gmail account (Google Authenticator was developed as a method of 2FA for Google accounts) or plenty of other online sites and business applications. Many depend on Google Authenticator as part of their processes. Among the websites that might ask for you to plug in a code on an application you can’t access are Amazon Web Services, Dropbox, and Evernote; your bank or other financial institution might do so, too.

Some sites, such as Google and Dropbox, allow you to set up multiple methods of 2FA, so that if you don’t have access to your phone you can still access the site. Others, such as Amazon Web Services, require you to call the customer service department to regain access to your account. That’s a pain.

Okay, So How Do I Fix This?

Fortunately, there is Authy, a Google Authenticator replacement app that provides 2FA, allows you to backup your account settings, and syncs those accounts across multiple devices.

Just like Google Authenticator, Authy needs to be set up with each site that uses Google Authenticator for 2FA.

You want to make the switch to Authy now, while you still have access using your current phone. Waiting until you get a new phone defeats the purpose.

Here’s how to get started, using Dropbox as the web application to secure. It looks like there’s a lot of steps, but only because I show you every step you can take. The whole process is completed in a few minutes.

First, sign into the Dropbox website as you normally would.

From the profile link in the top right corner, select settings

Click on the Security tab:

Under Two-step verification, choose the “click to enable” link:

Click the Get Started button on the “Enable two-step verification” window, then re-enter your password for verification purposes:

Select “Use a mobile app” and click the Next button:

Dropbox displays instructions to open your authenticator app and scan the QR code that is displayed. Dropbox supports any authenticator app that supports the Time-Based One-Time Password (TOTP) protocol, including Authy, Google Authenticator, Duo Mobile, and Microsoft Authenticator; other online applications vary in their support, but the concepts are similar.

Open Authy on your smartphone or tablet. Select Add Account from the menu. (These pictures are from a Samsung Galaxy S7 and may look different on your device.)

Click the SCAN QR CODE button. For web applications that don’t display a QR code, there is a link to enter the key manually)

Authy displays the logo for the applications that it knows about and gives you a chance to edit the account name. Click the DONE button when ready.

Authy now starts generating a token for you to use with Dropbox. The token changes every 20 seconds, but the protocol permits you to finish entering a token even if it expires while you are viewing it. There is also a copy button you can use if you are trying to log into Dropbox on your phone.

Back on the Dropbox website, click the Next button.

Dropbox asks you to input the code phone is displaying, to confirm that it is configured correctly.

As a precaution to help you gain access to your account if you are unable to access your Authy app, Dropbox asks for your mobile phone number. Although Dropbox allows you to use SMS messaging as a backup, not all web applications do. Depending on your personal level of security risk, you may want to leave this blank, since SMS messaging is subject to hacking and the next step provides a backup verification method that is more secure.

Dropbox displays a list of 10 one-time-use tokens that you can use if you are unable to generate a code using Authy. If this list is ever compromised, you can deactivate the entire list and generate a new one. I recommend that you print this list and store it in a secure location rather than save it in a text file or PDF document.

Click the Enable two-step verification button to complete the process.

Your Dropbox security now show several status changes: that Two-step verification is enabled using an Authenticator app as the primary method, whether you enabled your mobile phone as a backup method, and a link to display that list of recovery codes.

The next time you attempt to log into Dropbox you are prompted to enter the code Authy generated. You also have the option to “Remember this computer” so the code isn’t required again. Only check this box if you are on a personal or work computer. Do not check it on public-use computers or on a laptop computer that you travel with that easily could be compromised.

It takes a little bit of time to set up 2FA, but with the constant reports of account data being stolen (Yahoo announced one billion accounts were stolen as I was writing this article), adding 2FA to sensitive accounts can give you some piece of mind.


GSD: Tips and Tricks is brought to you by Xero, the cloud accounting software solution for your small business. With Xero, you can log in anytime, anywhere to get a real-time view of your cash flow and manage your books. Start your free 30-day trial today.

Leave a Reply