PSA: don't forget to deal with 2FA code generators as you change devices

Since its new phone season. See the previous discussion: Don’t forget to transfer Google Authenticator when switching phones

(Keeping up with good security practices is getting harder… My wife’s now locked out of Facebook. Apparently they introduced some feature where you need to approve new logins from a previously-existing login, and she’s not logged in anywhere else. We failed to realize this before resetting the old phone! :broken_heart:)


I’ve been using 1Password for my 2FA for that reason. I’ve lost access to a couple accounts because of resetting a phone without dealing with my authentication.


Being locked out of Facebook - isn’t that good news? :stuck_out_tongue_winking_eye:

On a more serious note: you’re absolutely right and that’s why it’s better, as much as possible, to default to generic 2FA whenever possible instead of the proprietary solution provided by a vendor. 1Password and Authy both allow restoration from cloud accounts, even if you don’t have any remaining devices (you will have to know your credentials though, and for 1Password, that especially means having your secret key on top of your master password).


Thanks to you both. To be clear, we just didn’t realize that the Code Generator setting was enabled in Facebook for her—part of their long history of less-than-perfect design for security and privacy… Hindsight!


Ah, that wonderful code generator.
You can opt-out of this to use a regular, sensible 2FA token – I did it when I was using Facebook – but it’s really buried and a pain to set up. You might have to enable it in the browser, prior to any mobile app installation (or remove any mobile app your wife has to get the option to appear, then put the apps back. If, you know, that’s absolutely mandatory. To have Facebook. At all. :grin:).


+1 on this. I swapped phone once with Google Authenticator and then vowed never again.

I didn’t see the benefit of going through the hassle of moving to 1Password whilst google authenticator was working. But having to set them up again in Google Authenticator was the kick I needed.

I’ve not had to worry about it since.

I believe (from listening to ATP) that Google Authenticator allows sync now though.


Yeah, it seems like this is the kind of thing that should have required a lot more user approvals before it worked. It seems like it was a one-prompt deal, and now she’s not logged in anywhere and can’t access these settings. (Again, not surprising given the company’s design history.)

Thanks for the tips, though. I’ll poke around. I think we’re stuck waiting for Facebook support to reply to the account recovery request we’ve submitted. (Which required a photo of her passport. Bonkers.)

Here’s another obvious-in-hindsight kicker: once you’re locked out, there’s no way to delete your account, so now FB has this mass of data/photos/etc. that you no longer have control over. We are likely going to delete everything if and when we ever get her access again.

1 Like

Doesn’t FB have a way that friends can vouch for them? I don’t recall the specifics but that may be another option available.

Thanks. You can request to recover an account via a friend looking at your profile, but that gives you the opportunity to reset the password, not deal with any 2FA setting. :sweat:

Just curious on status of your wife’s account. Did FB get back to you?

Nope. It’s been about two weeks at this point. The disclaimer on their account recovery page says something like “due to COVID-19, this might take a while, or we might never get back to you.” :sweat_smile:

Whoa, does your wife miss FB? I’ve been thinking about quitting FB for a while…

Us too. The main issue is that data problem; we don’t want to leave FB without deleting the data they have, but have no control over it 'til the account’s restored.