Two Factor Authentication + Forgotten/Lost Authenticator Tokens

Everyone’s heard of the “domain name”, in fact, you use one every day. Whether it’s www.google.com, https://gmail.google.com, or even your local news, that’s a domain name. They come in many shapes and sizes, from .com to .xyz. What many aren’t familiar with are the companies who sell domain names. (Side note: Many aren’t aware of how domain names work either, but that’s an article for another day).

A bit of background first:

  • Until 1999, only one company operated the three domain registries: .com, .net, and .org. This meant they not only sold the domains, but they also were the only company who was able to register domains. To put this simply: Imagine having the choice of 3 cars: Mercedes-Benz, BMW, and Lexus, but you can only buy them & insure them with 1 dealership.
  • The monopoly ended after a failed anti-trust suit and pressure from the United States Department of Commerce. This created the Internet Corporation for Assigned Names and Numbers, also known as ICANN.
  • ICANN governs the issuance of IP addresses on the internet & the policies/policing of domain registrars (such as eNOM, GoDaddy, and many others). Note: That’s a nutshell version of what ICANN does; describing their full scope of power would be like deciphering who really runs IKEA. If you’re curious, there is a well written article about ICANN here.

As a result of this we have hundreds, perhaps thousands of registrars. Though, many of these registrars sell domains under a white label website, utilizing the services of “top” registrar. Some of our top registrars, in no particular order, include:

Providers like Enom, OpenSRS, and Wild West Domains offer reseller services whereby you can start a company and sell domain names, but not have to be an ICANN accredited registrar. Many companies do this, including a large percentage of web hosts.

Personally, I register domains with Hover.com, a division of Tucows, having recently moved all of my domains to them from eNom. On Friday, August 15, 2014, I experienced my first problem with Hover, leading to the creation of this blog post.

I’ve blogged about 2-step authentication before, although only briefly. Before we go any further, it would be prudent to educate the uninitiated in 2 step (or 2 factor) authentication.

Two step (or two factor) authentication is an added security measure for an online service, such as your e-mail or online banking whereby your login is further scrutinized for a few key things.

  • First, does the system you are logging into recognize your computer? Is there a cookie or session token on the computer from a previous login?
  • Second, are you in a different location? For example, do you usually login to your online banking from home, but today are checking from your work computer?

These things could cause a two factor authentication to be required. In these cases, you will either be sent a SMS code to your mobile phone or you can use an authenticator app to get a code. Authenticator apps are quite handy, especially if you’re in a situation where you can’t receive a SMS (perhaps you have no signal or you are roaming internationally). I use the Microsoft Authenticator app, a near clone of Google Authenticator (iOS link), but for Windows Phone.

If you lose access to your tokens (the random codes) or you are unable to use them, generally companies will offer another method of verification. They may send you a SMS code in lieu of an Authenticator code, or send a code to an alternate e-mail address. Depending on the system you’re attempting to access, they will require you call in and verify some information. Some providers, like Hover, give you a “master password” to use in the event you forget or lose access to your 2 factor authentication app.

A few days ago, at&t Wireless approved a new update for the Nokia Lumia 1020: Windows Phone 8.1 with “Lumia Cyan”, a massive OS update paired with updates to the Nokia Lumia application suite. However, as I already had Windows Phone 8.1 via the Microsoft Developer Program, to receive the Lumia Cyan updates, I had to downgrade my phone. This involved erasing the phone. Microsoft’s Authenticator app does NOT backup your tokens, possibly for security reasons. If you uninstall the app or format your phone, you will have to re-link your accounts to your app in order to continue receiving the benefits of two factor authentication. This can be a tedious process, but is unavoidable.

By now, you’re probably thinking “why in the world would I enable two step authentication if it’s this annoying”? Everyone should use two factor authentication, in my opinion. Being hacked is no joke and while 2-step authentication doesn’t make you immune to hackers, it adds another complex step for them to bypass.

I had finished the upgrade of my OS and relinking all but one of my 2-factor services – Hover. Upon logging into their site, I was prepared to select the option “I don’t have access to my authenticator app” and verify a phone call, or SMS, or e-mail. However, I was presented with a dialog asking for a recovery code. This was an item I did not have. Having spoken with Hover on the phone a few times before, I knew they were friendly, so I decided to call in and ask what I could do to rectify this situation. Since they’re in Canada, I expected a cheerful, helpful person, great at saying “sorry”…. what I received was akin to the customer service team working under Hitler’s SS.

The first 10 or 15 minutes of my call with Hover Support consisted of:

Me: “I updated my phone, which erased it, and I have to repair my 2 step authentication app with your service. When I select the option “I don’t have access to my authenticator app”, I am asked for a recovery code. I don’t have this code. Can you help me?”

Hover Agent: “Oh, you will have to have the recovery code to regain access to your account.”

Me: “Yes, I realize, however, I don’t have that, and honestly, I don’t recall being presented with one. Can you disable 2-step authentication so I can regain access to my account? I am happy to verify any information you need to assure you am who I say I am.”

Hover Agent: “You will have to have the recovery code to regain access to your account.”

Me: “So, you are saying I will be unable to access my account? What will happen to my domain names when they expire? How will I renew them?”

Hover Agent: “You will have to have the recovery code to regain access to your account.” (yes, he repeated himself, again)

Me: “So, you’re telling me your company provides NO recourse for someone who loses access to their 2-factor authentication app and also doesn’t have their recovery code? I’m pretty sure ICANN policies forbid you from preventing me from modifying my domains when I can prove I own them.”

Hover Agent: “I understand, but you’ll need the recovery code to regain access to your account.”

Me: Can you transfer me to a manager?”

Hover Agent: “They’ll tell you the same thing.”

I lost my temper here, while I didn’t curse the agent out, I didn’t hold back from a well needed lecture on proper customer service.

Me: “I’m sorry. Did you just say the manager would tell me the same thing you’ve told me? That doesn’t matter. When a customer asks for a manager, you get a manager. It doesn’t matter if you believe their request for a manager is warranted or not… you don’t minimize the customer’s request.”

The Hover Agent places me on a very brief hold, and after coming back, begins the Account Recovery process. This included e-mailing a random code to the account e-mail, verifying it over the phone, and also calling the phone number listed in my WHOIS information. The process took about 15 minutes after a 15 minute conversational copy/paste and a 3-5 minute lecture on customer service.

In the end, I regained access to my account. While my incompetence may have caused this, there is no doubt Hover takes the security of their customers accounts seriously. At some point, said security becomes draconian and the needs of a customer are minimized. What transpired in this interaction is exceptionally unacceptable. Hopefully Hover recognizes their mistake here and offers some empathy training to their staff.