Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ Dancing the Two-Step: Coping with the Loss of a Second Factor Glenn Fleishman My iPhone 5's camera finally became intolerable. It had shown some evidence of dust or a sensor failure inside its sealed optics for some time, but I had coped. The Standby button had also started to lose its resiliency and required a hard push to activate, but I was too busy to swap out the phone. Then a hair started appearing in all photos. That was the squiggle that broke the camel's back. I blithely went to a Genius Bar appointment, received a new iPhone 5 under warranty (not even invoking AppleCare+, which I have, as it was considered a factory defect), and restored from my iCloud backup. It was only 40 minutes later, when the restore was complete, that I realized I had blundered in not preparing for the loss of my so-called 'second factor.' Two-step or two-factor logins typically require that a login uses two different methods: a password and a unique token sent via text message, created within a specialized app, or displayed on the tiny screen of a keychain generator or ID card. Second factors rely on physical possession of an object or an app on a device. They don't provide perfect security, but someone cannot simply steal your password and have full access to an associated account. Most of my second factors were stored in [1]Google Authenticator, a free app (for iOS and Android) from the search giant. Despite coming from Google, the app works with many two-step authentication systems to generate the time-limited codes that supplement passwords. To get started with it on a particular site, you need to enter a special priming code ' either by typing in a set of characters or by capturing a QR code. From then on, Google Authenticator cryptographically derives a set of digits for your login code that resets every minute. The current time is a factor in the computation that creates the code. These codes may be used only once, thus are useless if captured after use, and they work only during a 60-second period, and are useless thereafter. Wisely, Google Authenticator doesn't retain the priming codes, since a bad guy could otherwise restore a stolen iPhone's iCloud backup and gain access to those codes! (See '[2]Elcomsoft Details Gaps in Apple's Two-Factor Authentication Approach,' 30 May 2013.) But that caused a problem for me, even though I consider myself relatively adept at security and good at thinking ahead. I knew I'd need two different Apple ID passwords and my Dropbox password to do a restore away from my main Mac. But I didn't anticipate the two-step login problem at that moment. Luckily, I had done the necessary work previously, when I'd set up the various two-step systems. Most systems provide methods of restoring access or resetting a two-factor system as long as you retain two of three pieces of information: email access to the address you used (or physical access to a specific set of trusted devices), your password, and a special recovery key or similar code. I had stashed recovery codes like mad, and simply forgotten about them until this point. I use Yojimbo to stash my recovery keys. Yojimbo, just out in version 4 with a new syncing option, uses strong encryption for its secured