Recovering from a lost or broken phone
2024-03-16 | Estimated reading time: 5 minutes
Not too long ago, a friend of mine and I had a conversation about how we keep doing more and more things on our phones, which then led to me pointing out the elephant in the room: “What is your plan for if/when you lose access to your phone?”
He did not have one at that time. The next time we met, he had one and thanked me for essentially making him think about that scenario and formulate a plan to deal with it, if it were to come true.
I do believe that everyone should have such a plan ready, especially if they use apps that require more than just a username and password. Most apps have an often inconvenient escape hatch to restoring their functionality – in Germany it often involves snailmail –, but some don’t unless you’ve prepared for the failure scenario.
For me, this plan does not cover the case of me losing access to my phone number. There are apps, often messaging apps like Signal, that are bound to your phone number and it often is not possible to transfer accounts from one number to another unless you have access to both numbers.
Here is my plan and since it’s my plan, I cannot focus on apps I don’t use myself for obvious reasons. But I will try to keep things generic enough for you to be able to use my plan as a starting point to build yours.
Once you have built your plan, make sure to go through it on a regular basis to ensure that the plan is still valid and working when you actually need it. Like backups, having one without ever trying to recover from a disaster by using it can lead to a lot of disappointment and frustration if it turns out to not work, at all.
Password manager & 2FA app
Most apps fortunately are easy enough to restore by just downloading them again and logging in. If you use a password manager, that means you need to have a plan for regaining access to your password manager. This in turn can be as simple as using your username and master password, but a third piece of information may be needed, e. g. 1Password requires the so-called “Secret Key”.
If you use two-factor authentication (2FA) with time-based one-time passwords (TOTP), you have to know how to restore your 2FA app, as well. Some of the popular ones offer online sync (e. g. Authy, Google Authenticator) and some are included in the password manager (e. g. 1Password). But if the 2FA app you use does not support online sync, you need to take care of that process yourself, i. e. backups and knowing how to restore from those backups.
Password manager: 1Password
I have my 1Password Emergency Kit (sans master password, because I’m not that crazy) downloaded on a USB flash drive and filed away as a printout in my office at home.
2FA app: OTP Auth
My 2FA backups are in the same places as my 1Password Emergency Kit: The backup itself is on the USB flash drive and the backup codes for each service with 2FA are filed away along with the 1Password Emergency Kit. (What a security risk, oh noes!)
Apps that are paired to the device
More and more apps – especially banking apps – require to be paired to the phone to be functional, i. e. just downloading them and having username + password + 2FA token is not necessarily sufficient to restore their functionality.
The exact restoration procedure usually is different for each app, which is why having a plan for these apps in advance can make restoring them a lot less painful.
Banking: DKB
DKB has two different apps that are tied to the device: The new DKB banking app and the old TAN2go app.
Fortunately, restoring the new DKB banking app seems to be really straightforward and they have a PDF file that covers most (all?) variants of the process.
Banking: Finom
Finom supports both hardware and software passkeys, which removes the need to confirm my login through the app. This makes reinstalling the app and restoring its functionality very straightforward.
Banking: comdirect photoTAN
After logging in with your username + password, you are given the option to have them send you a QR code via snailmail to restore photoTAN functionality. Unless you have set up mobileTAN (which you should not), you will not have access to your account until photoTAN works again.
Banking: ING Banking
Just like comdirect photoTAN, you can request a one-time password to regain access to your account after entering your username + password.
Banking: Scalable
After logging in with your username + password, you are given the option to use a 2FA backup code instead of the app-based 2FA method.
Thoughts on recovering with passkeys
Finom allowing me to reinstall the app on a new device with extra steps by using a passkey was a nice surprise I did not expect, at all.
Today’s software passkeys are a great secure way to authenticate yourself through multiple factors without having to transmit any of the factors themselves. You have something (the secret itself, which is derived from the domain name of the other party and a “primary secret”), which can be combined with you being someone(e. g. through a fingerprint) to cryptographically sign a challenge from the other party and only this signed challenge is sent back to the other party.
It is worth noting that while passkeys can be used to replace password-based authentication, it does not have to be used as such: Passkeys can just be used as the second factor of a two-factor authentication process.
Even though software passkeys come with a major disadvantage over hardware ones – they can be duplicated and the copies can be used just like the original, especially if no other authentication factor is required –, their ease of use and, more importantly, their resilience to mishandling them makes them a much better authentication method for most people. Key duplication, whilst technically reducing security in general, allows for cloud synchronisation through e. g. iCloud or Google Services, which means users cannot just lose them like actual hardware keys and they are easily restored to new devices. This in turn significantly reduces the risk of people accidentally locking themselves out.
I strongly believe in the technology behind passkeys – I have been using hardware passkeys for over 10 years – and the advent of software passkeys in my opinion tore down the walls that was keeping “normal users” from using them. I am genuinely hoping that more services allow their users to use passkeys to smoothly re-setup their apps on new devices without having to have the old device around. Passkeys can do everything that is required from a security perspective, especially in combination with classic password-based authentication: It (sufficiently) makes sure you are who you claim to be. It probably is better at that than sending text messages with one-time codes or snailmail doing essentially that.
Huy Dinh
Senior Software Engineer
at Solaris SE