Two-Step Verification – a Trap for Travellers

mobile phone in hand

In recent years more and more popular websites are either nagging you to provide a phone number for “added security”, or worse are forcing you to verify your account with a code they send you via SMS. This is called “Two-Step Verification” or sometimes “Two-Factor Authentication”.

We tend to trust new technologies too readily before considering all consequences.

First and foremost:
how well do you know the technical side of your mobile phone?

Do you know how to synchronise time zones and other settings on your phone? I have read of many cases where correct “Two-Step Verification” codes were not working due to the wrong phone settings.


Google SMS Two-Step Verification

Screen capture: Google’s explanation of SMS “Two-Step Verification”

How do you use your mobile phone?

Very few travellers, who are away for months instead of weeks, will keep paying a phone plan in their home country. A great many will rather use cheaper prepaid SIM cards, at home and abroad. Does your prepaid provider have any roaming agreements with carriers in your destination country – or even countries if you are a long-term traveller? I had an Australian prepaid card from Amaysim, an Australian company started by Germans, and didn’t get any network on it in Germany. I had two German prepaid cards, one from Congstar (sister company of T-Mobile, largest network in Germany), one from Klarmobil (who uses the Vodafone network), and both provided excellent roaming in Europe, but as soon as I landed in South America: nada! No network connections with either cards.

Local SIM card purchased in the country you travel

This is probably the preferred option for most travellers to stay connected, particularly since in many developing countries you can buy relatively cheap data plans to access the internet with your smart phone on the move. Yes, great!

So how often do you change your phone number?

I guess it’s fair to assume as often as we do: in every country we enter and expect to stay for any considerable time we buy a local SIM = get a new phone number.

So what use is the home telephone number you registered for SMS “Two-Step Verification”?

Can you be reached under this number? Most likely not!

You see: “Two-Step Verification” via SMS is not a valid option for travellers!

 

Okay, there’s a Mobile App for that too: “Google Authenticator”

Google Authenticator App

Google Authenticator App

It works with a surprising number of third party services like Facebook, Twitter, Dropbox, Microsoft, WordPress.com, Amazon, Lastpass, and many more, who are all tied in with “Google Authenticator”, so in theory this should have you covered.

“Google Authenticator” is certainly the lesser of two evils, providing you own a smart phone!

But once you’re locked into it, it too can cause headaches and more pain.

First question: what happens when your battery is empty?

And I mean really empty, like after a 30 hour bus ride from hell? Over night the trip was really boring, so you played games on your phone and listened to music until the battery died. So, no power – no “Google Authenticator”! And will the time sync on your phone recover after you finally get to charge your battery? Usually time sync needs a network connection; can you get that?

Or even worse: you lose your phone!

Let’s not assume the worst straight away. It might have simply slipped out of your pocket whilst you were sleeping on that horrible and bumpy 30 hour bus ride and fallen under the seat. Worst case: somebody stole your phone. Unlocked smart phones are desirable targets for any pick-pocket…

If your phone is lost or broken (same issue!) you can not simply buy a new phone and re-install Google Authenticator on it, because it is tied in with your phone’s individual identifiers, like its ESN , and can only be transferred from one working phone to the next!

In any case: you cannot use your phone – so now what? Unanswered question!

 

My recommendations for “Two-Step Verification” as a traveller:

Best: turn it off before leaving home or reject it outright!

Is the sense of some added security really worth the extra hassle it might cause?

I would rather recommend to be extra vigilant when using the internet. For example: stay away from dodgy internet cafes when you log into sensitive accounts! Also, be careful when using busy public WiFi; the smaller the user base of a network the lower the risk of man-in-the-middle (MITM) intrusions should be.

Have a strong password for sensitive sites and change it regularly! A slight change of the same password might suffice to deter the bad boys, e.g. include the number of the current month, split in two separate digits, and change this every month, like 0Pass1W0rD for January to 1Pass2W0rD for December.

Is there an alternative to “Two-Step Verification” requiring a phone?

Security Token

Security Token

Our bank automatically puts every customer on “Two-Step Verification” via an SMS code. We opted instead to each get a “Security Token”; you press a button and get a six-digit code to enter. There are also risks connected with this of course: you can lose the token, the battery will run out eventually, and some say the generated codes can be cracked (given enough time, everything can be cracked). During our last trip one token’s battery died after three years, we had a second (the partner’s) to access the account, and had a new token mailed to a trusted person in Australia, who then forwarded it to us. At least we were never completely locked out of our accounts.

 

If you decide in favour of “Two-Step Verification”

Google offers to provide Back-Up Codes, which you can print out – do it and keep them safe! Other companies don’t offer such a service, so check conditions thoroughly.

Google also offers to add a back-up telephone number. Use a number of a person at home you are sure to reach. If you cannot telephone this person maybe they can email the code to an account which is not secured with “Two-Step Verification”.

If you travel with a laptop you have another option: install a second authenticator on Windows™ or Apple OSX™ – Google Authenticator version for Windows and Authy for Apple OSX are not widely publicised.

 

Before you decide to activate “Two-Step Verification” consider these questions:

How often do you use the account? How valuable is it to you?
Some might use their Google account almost every time they are online because it is linked to their main Gmail address. Others, like me, might use it every few weeks. You are likely to use accounts like Facebook or Twitter almost every time you get online. Other accounts, like eBay, Amazon, Dropbox, iCloud, etc. you might not use much at all whilst travelling. But then there is PayPal, which you might need to pay for a booking, or the like, along the way. And as a travel blogger, you also have to consider WordPress.com, even if you have a self-hosted blog running on software from WordPress.org, because a number of your blog’s elements could be tied into WordPress.com, like Gravatar and some components of the popular Jetpack plugin.

I would seriously consider all PROs and CONs before typing in my mobile number for “security reasons”!

 

Why am I writing this? In the middle of May this year I lost my Google account for good! Gone! Never to be retrieved because Google offers no personal support whatsoever. This was a well established account I had used for many years only to access Webmaster Tools connected to a number of websites. I had all my analytics in this account, my website verification numbers were tied to this account, plus I had a Google+ page in my personal name (so now I cannot get my real name a second time). I must confess it was a chain of unfortunate coincidences, but these happen in life, whether we are prepared for them or not.

When you log into your account Google also stores a “cookie” in your browser. I had serious problems with my computer, first the harddisk was changed, then finally the entire computer replaced under warranty; this “cookie” didn’t get saved in the back-ups.

cookies deleted

all cookies gone!

The first time after months (I’m not obsessed with statistics) that I wanted to use my Google account happened to be in Santiago de Chile. The account was opened in Australia, my home country, and last accessed in Germany when I still had my original computer with the functioning “cookie”. So some robot at Google decided I was trying to log in from an “unknown IP address” and flagged this as an unauthorised trial to access my account. Of course the first thing to pop up was something like “To proceed click here to receive a security code sent to your phone number (61)*** ******966” (starred out like this).

Great, I had let that number lapse when I left Australia over a year ago, it was the above mentioned Amaysim SIM, which wouldn’t give me any roaming in Europe, where I had spent the last 13 months. To keep an Australian SIM/number alive you have to top it up with fresh credit every 90 days – no way would I use my SIM as a savings account!

The next step, Google’s “Account Recovery”, was of no use because I honestly could not answer the questions
· When was the last time you were able to sign in to your Google Account? Month/Day/Year (Required) I knew the year, but not the month, and don’t get me started on the day.
· When did you create your Google Account? (Required) I believe sometime between 2002 and 2005.
So I was stuck, because I got rejected countless times. Next I was forced to create a new account on the fly, because otherwise you cannot even log into Google’s product forums, the only hope for any help – which didn’t materialise anyhow… End of story!

Don’t let this happen to you! It creates an endless stream of unwanted problems and work (which I still haven’t finished).

Further reading: Why two-step verification will never work {link removed}, or simply google something like “travel and two step verification”.

How do you feel about “Two-Step Verification”?
Have you had any issues with it you would like to share as a warning to others?

photo credit header photo: cafnr on flickr

Juergen

webmaster, main photographer & driver, second cook and only husband at dare2go.com. Freelance web designer with 20 years of experience at webbeetle.com.au

22 Responses

  1. Daniel says:

    This is such an important post for people working in IT and InfoSec to understand. There are always trade-offs with security vs convenience however I have been locked out of my accounts far too often since the advance of two-factor auth.

    Thanks for the tip-off on the Google Authenticator desktop software, although it’s probably adding another hacking target to your computer, it’s probably better than being completely locked out just because your phone is dead.

    • Juergen says:

      You’re welcome! I begin to think that most applications are being written by people who never leave their office cubicle and fast broadband (or if so only to attend a ‘fully connected’ conference), so they don’t even experience the full implications of their “oh so easy solution“. We struggle almost daily with bandwidth and speed requirements of some apps, which cannot be fulfilled by some slow wireless network in developing countries. Only because something works in LA, NY, or Berlin, doesn’t mean it will work as well in remote Alaska, Patagonia, or in Africa…

  2. Tony LEE says:

    Yes, Citibank started wanting me to provide a phone number and recently Teachers Mutual Bank switched too, but luckily also allowed the use of the token that I had been using for years.

    I use travel sim phone when travelling and some incoming SMS cost close to a dollar so I’m not too fussed about allowing that. Result is I just don’t use the web to access my Citibank accounts and if I have problems I have to use Skype to fight it out with their call centre operators.

    • Juergen says:

      Today we are in Horcón on the coast of Chile, a rather built-up area, and mobile phone reception is hit-and-miss. A dual-SIM-phone might make things easier in general, but at a cost we’re not willing to bear as indefinite travellers (although it would be fine for a short vacation).

  3. Mandy says:

    I am glad to read your blog. I am setting up email for my mother (who is 70) to use gmail on a tablet to travel overseas (we are in US). I was afraid that this will happen and she will not know what to do. So do you recommend using Hangouts or a texting app overseas to communicate back to US? or is there any other email that is hassle free.
    Thanks

    • Juergen says:

      Mandy, my wife and I are using yahoo mail whilst traveling (and at home) and never had any issues. In recent times they also started to nag about a telephone number , but you can ignore this. My wife has her account since around 1999, signed up whilst studying in Germany, and has used it in at least 40 countries so far. Mine is more recent, I initially opened it for sign-ups to forums, news letters, and the likes, but now I use it for other things as well. To this stage we are both very happy with yahoo’s spam filtering too.
      I’m somebody who uses as few Google products as possible as I consider them the “biggest spyware” there is – all they want is as much data as possible to feed their ad selling business! Hence I haven’t used Hangouts; I’m happy with Skype since 2003 or 4, plus most of my relatives and friends are using it too.

      • Michael says:

        I was recently locked out of my 15-year-old Yahoo Mail account while traveling abroad. Yahoo asked for answers to “security questions” that I could not answer correctly. I could not access email for two weeks as my alternative email was also locked out and I had SIM card phone service.

        The kicker is that, when I returned home, logged in and tried to change the security questions, I found out that Yahoo does not allow any access to these questions even when I’m logged in. After contacting Yahoo, they said, “you’ll no longer need to protect your account using secret questions” OK, fine. But they still ask these questions and I don’t know the answers. Their solution was “if you can’t provide this information, then you do have the option of opening a new account.” Great customer service. Their solution for me is to either never have email while traveling or to bin the email account I’ve had for over a decade.

        • Juergen says:

          Years ago, sometime in the late 90s, my old Yahoo account was hijacked by a Russian hacker and Yahoo ‘Help’ was no help at all! I received a similar reply (to yours) that I should open a new account… Helpful idea if all your established contacts are in the account you cannot access anymore, hence you surely will be unable notify every person about your change of email address. It reads like Yahoo only want to host ‘spam accounts’ where any account history is of no relevance.

  4. Oh great. One more thing to worry about. And people think I’m cynical because my personal motto is: “Just because you’re paranoid does not mean they’re not out to get you. “

    • Juergen says:

      LOL :D
      We shouldn’t have handed the Internet over to kids to run – who don’t know more than college and their annual vacation spent in front of a computer.

  5. noel says:

    Interesting , thanks for the post and tips

  6. Michelle says:

    I have never bought a SIM card. I have always used Google Chat on my computer or Viber. I’m sure there will come a day when I need a SIM card so thank you for explaining what I might and probably will need to deal with when I do.

    • Juergen says:

      But what do you do when you have to be contactable via a local number? And do you rely entirely on WiFi to cover your browsing needs?

  7. Interesting post and info worth pondering! So far, just because of procrastination and sheer laziness we have dodged the two-step verification mostly by forgoing a smart phone altogether. Email and Skype have worked for the most part although that can be frustrating, too. Still, it’s a lot easier to travel with technology, access accounts and keep in touch than it was 15 years ago!

    • Juergen says:

      I must confess that I don’t own a smart phone either, but an old clam-style Samsung. I love that the battery lasts a week to 10 days, unlike in any smart phone. Though: we own one which has become my wife’s since she is using a lot of the features.

  8. Excellent advice! Thank you for sharing with everyone!

  9. Aloha Juergen – It seems as though the security process discriminates against the folks who are using it legitimately in good faith, no matter who the company or the function is. Case in point: airport security. I don’t have an answer. Google went all cray-cray on us when we were in Hungary, Romania and Russia earlier in the year. But so did our debit card. Not fun to have to call Fidelity in America to sort it out and be told, “you’re dead in the water, one more transaction and your husband would have been, too.” Thanks a lot, Fidelity, for ensuring my “safety.” Not.

    • Juergen says:

      Oh yes, that happened to me too one time in Germany: my VISA card was suddenly flagged for an unusual transaction and blocked. No better time could they chose: late Friday afternoon, and I had a rental car on the same credit card due to be returned Saturday morning! Luckily my wife was home in Australia, received a courtesy call from the bank and was able to contact me straight away via SMS, to give me an international number to call the bank and set things straight.

  10. Leigh says:

    I hate two step verification processes. But I’m also amazed at what you had to go through. I have problems accessing my gmail sometimes and Google calls it a suspicious sign-in – in my own country. I will bookmark this for down the road. Thank you for an informative post.

  11. Juergen says:

    BTW: to get “security tokens” to access online banking we had to call the head office of our bank! The people in the local branch were convinced that these had been phased out when 2-Step-SMS-Verification was introduced!

  12. Don’t get me started on two-step verification!! I stupidly ‘upgraded’ my security (although little choice was eventually given) without realising it would introduce this two step nonsense on my Santander account. I have some online access to my account, such as transferring payments to accounts already registered to my account but if I want to pay someone ‘new’ – like a shipper maybe – I have to phone in. But there are some other bizarre quirks – if I set up a transfer between my savings and current account for a week in advance that’s OK, but if I want to change the transfer date I can only do it with the two-step verification. Santander have stopped the 24 hour phone service I used to get before they took over my nice bank so phoning is now harder across some timezones. Then I have to spend ages going through security. Then they want to know why I don’t use my internet access. Then I have to explain I don’t even have a mobile phone. When last in England I asked at my local branch how the bank could help me they suggested I change to another bank! They couldn’t offer the one time number gadget, only a mobile phone number which has to be registered with them for 30 days before it becomes valid for use. I enquired at another mainstream bank but their procedures were just as arduously inconvenient for a traveller so I gave up. Better the pain in the neck I know than getting to know a new pain in the neck. Rant over.

    • Juergen says:

      I could have “ranted” a lot more too, but for keeping the blog post as short as possible I refrained from it!
      What really gets me mad every time I come across it, is the fact how more and more big companies are creating their own tight boundaries and automated checks to restrict what was formed to be the “World Wide Web” – they take all the real usability away! Like

      • Why can’t I log into my account with my valid username and password from anywhere I like? Instead of getting rejected for “unknown IP address”?
      • Why do almost all American companies refuse to send me goods, I have paid for with credit in my valid PayPal account, to my temporary address in Chile (or at least a forwarding address in the USA)? They’re of no use to me at my billing address in Australia!
      • How am I supposed to get hold of much needed spare parts this way?
      • Why are companies in Europe able to send me goods to any address I chose, whereas US American companies insist on the stupid policy of postal address matching billing address? Is fraud now a regional problem?

      I better stop now… All rules made up by what a friend of mine calls “shiny asses” – people who sit all day/all year in their little cubicles and never leave their tiny world.
      You see: you have my full sympathy!

Leave a Reply

Your email address will not be published. Required fields are marked *

 

There will be more great content like this! On our Facebook Page you can also keep up with where we are and see the latest photos from our journey.
So why not follow us?

Send this to a friend