Two-step verification is great. However, instead of using SMS for two-step verification, it’s a good idea to use an Authenticator app to get your verification codes. It’s a tiny bit more secure for a number of reasons (like this one), but it can also save you if you happen to lose your Android phone while you’re away from home since you can use written down backup codes to access your account without your phone.
Let me tell you about my weekend:
Since my 18th birthday when I purchased my first cell phone I’ve carried one with me every day. Every day until this Sunday, because I managed to (for the first time) lose my phone getting out of a Lyft Saturday night.
We were roughly an hour away from home when I realized I had apparently dropped my relatively new Note 8 on the floorboard of the car rather than in my purse as we were getting out at our destination. Our driver had left only a few minutes before, so I thought we were in a particularly useful window of time where he might find it rather than a nefarious passenger.
The phone was on silent, so calling didn’t really help. I also have all my notifications hidden, so even texting the phone wouldn’t really provide information to the person who found it.
Then we went to locate it using Google’s Security using my boyfriend’s phone. It’s a nifty tool (located at security.google.com if you end up in the same situation) where you can track your lost phone, make it ring constantly for 5 minutes, wipe it, or leave a “Call This Number” message on your lock screen.
It was a great plan with one fatal flaw: I have two-step verification set up on my Google account using SMS.
Since I had two-step set up on my Google account and my boyfriend’s phone wasn’t a “trusted device” it wanted the code it was texting me in order to let me into my account to track my phone. It keeps thing secure, but without the phone I wasn’t able to get the SMS message and log into my account at all. I was locked out.
What ended up happening was us going home, me logging into the account on my trusted laptop and then putting a note with my boyfriend’s number on the lock screen. A few hours later I blasted it with a constant full-volume ring, and my Lyft driver called us to let us know he had found the phone and had stowed it in his glove box a few hours prior.
Given that he was an hour from our apartment, that meant that the beginning of our Sunday was a road trip to go meet him in a distant grocery store parking lot to get it back.
The whole situation could have gone a lot worse (I have a phone!) but it also could have gone better. If I had been able to leave that note right when we realized the phone was lost, my Lyft driver probably would have seen it when he found the phone and we could have coordinated while we were all close by. I could have also saved myself a few hours of panic.
Thankfully, we were just an hour from home. Had we been on vacation further away, this could have been a lot more complicated. In my particular situation, I think a few emails to Lyft would have gotten my phone back. However, if it was actually stolen, I wouldn’t have been able to wipe it until I got back to my computer. And if I didn’t have a computer that was already a “trusted” device I would have been in for a whirlwind of pain.
And so, I recommend using Google Authenticator (or your authentication app of choice) instead of SMS. I already do for most of my accounts, but for some reason, my Google account was the last holdout. You still need your phone to get access to your account, but when you sign up you’re also given a few codes to use if you end up like me and need to log in somewhere on the fly without your phone.
I now have a few codes written on the back of an unassuming business card in my wallet. You don’t want to label the paper “Google Codes” in case your wallet is what gets stolen rather than your phone, but writing a few down on a business card, receipt, or the like and tucking it away in a safe place could save you in a similar situation.
Bottom line: Don’t be like me. It wasn’t fun.