The extra layer of account security

Two-factor authentication (2FA), or multi-factor authentication, now becomes increasingly popular. More and more people have their smart phones on hand, so this extra layer of security, for verifying your account identity, doesn't bring much hassle on the user side --- most of the time.

I use Gmail on a daily basis and have set up my Google account with 2FA. And what really happened as a consequence is:

"I was out of town but forgot my phone at home. So I was going to a store to buy a pay-as-you-go phone, preferring (and practically the only choice) a smart phone that I could check email/browse the web. As expected, it was an Android phone and I was required to use my Google account to activate it. With some sense of urgency, I created a new Google account in order to move forward, but still couldn't get to my dear Email box on this device unless I retrieve the other factor for authentication, which, according to the message from Google, was my forgotten phone that they sent notification to.

It was not as rigid as what that message literally said. It's a trust propagation model: as long as you verify it from a device that you have already logged in, your new device would get through. Just need a little bit investigation though (and not be scared by the message in the screenshot below): open the "Critical security alert" email from Google, click the link "CHECK ACTIVITY", and then mark that new device as "access allowed". "

I brought a laptop with me so the problem was solved. But what if my smart phone was lost/stolen and I only use the service on my phone (e.g. Uber/Lyft) ?

In this case, the fact is: you are just relying on your service provider's security aptitude.

Mobile-only apps know your phone number, your phone's device ID and can send SMS to it from the beginning. There's no opt-in/out settings like Google. For example, Uber uses an intelligent system (supposed to be) to track all the log-ins and triggers 2FA "when certain requests are deemed suspicious" per this report from ZDNet . When I sign in from a new device or just the web browser of my computer (on web, you can review your profile but can't book a ride), there will be an SMS sent to my phone but I won't be able to proceed if I lose my phone.

That means: there is no quick way to delete your account for account takeover prevention, although you know (better than the Uber security system) that your phone is stolen. Well, calling their customer service might work, but more than likely, it's very hard to prove who you actually are, given that Uber doesn't require your social security number or date of birth, when you register as a new rider.

Therefore, this is just a new type of relationship between you (as a user/customer) and service providers (Internet/mobile companies like Google and Uber, whatever you call them) in the digital world. And when it comes to account security, it is a subtle story:

* We have a lot of personal information on the servers of Google et al. However, such service providers are not government agencies, nor the banks/insurance companies/phone carriers. So they probably don't have an explicit motivation to know who you are in the real world (for their own growth and other considerations), and thereby won't provide a service for true identity verification. Actually, they assume that you can have some freedom (unless specified): e.g. a family account, and two log-ins from different locations for watching videos.

* The old fashion of two-factor authentication is that you tell the customer service representative your date of birth, address, and social security number when you are reporting a stolen credit card. In the digital world, such identity-related pieces are replaced by an additional device and/or a service-provider-issued recovery code.

* Interestingly, for banks, authentication is triggered when you really need help from them. For Google-like services, if you happen to have opted in 2FA and fear that you would lose your account due to the inaccessibility of your physical devices, they can hardly help.

In other words, the only way to guarantee that your account is always retrievable is that you do not opt in 2FA (say you always have access to your email, so you can get back to your account via email verification, which almost all companies do). If you want to enroll in 2FA with the intention of showing you are following the newest tech, better think twice after knowing its potential consequences.

And for mobile-only services, you don't seem to have that option --- sadly.

P.S.: password reset is a different story and many companies have a more sophisticated process. What's in this article is for the case that you know your password but the other factor (most likely your phone) is not available.