Backup Codes and Back Doors

I’m on a mailing list where someone sent this email:

In the case of lost phone that has been setup for 2FA with services such as Gmail and Slack, a set of backup codes to bypass 2FA [is created] to sign in. It sounds like an insecure backdoor to me. Wonder what the community thinks about the implementation.

Like all “is this system secure?” questions, the answer is the follow-up question “against what?”.

These are example backup codes. Not mine.

Backup codes are static like passwords, but they don’t have some of the security problems. They generally have a high enough entropy to make remote brute forcing infeasible. Users don’t reuse backup codes like they reuse passwords, and backup codes don’t appear in common password dictionaries. Of course, like regular two-factor codes and passwords, they can be phished.

Backup codes are, in a sense, just enforced strong passwords. To me, they are an admission that if you generate and use strong passwords, two-factor authentication doesn’t provide much extra security*.

Beyond their mundane security profile, backup codes are a usability cop out. They say “here you go, the unhappy cases of 2FA are on you, the user”.

Like strong passwords, backup codes are hard to store. Services will suggest a strategy, either physical (e.g. print them, write them down) or digital (e.g. put them in a password safe, or in a text file in the cloud).

I believe this is a pretty typical scenario:

Service: Congrats, you’re enrolled in two-factor! Please take this arbitrary text and store it somewhere, securely and indefinitely.
User: Ugh, I’m on my phone and that sounds like a hassle. I’ll do it later.
[time elapses]
User: I dropped my phone in the toilet and I don’t have a login code! Why won’t you let me in?
Service: No problem — please provide a backup code.
User: A what?

When passwords are compromised, we recommended two-factor authentication wholeheartedly. We imply that it is costless. But in doing so, we presume people can manage backup codes, which would imply that they could manage strong passwords, which would imply that two-factor would have limited efficacy. We are asking people to trade the “I can’t manage strong passwords” problem for the “I can’t access my account” problem.

Backup codes aren’t a back door. They are a cracked foundation.

* Two-factor codes expire, and backup codes are single-use. Both of these features provide countermeasures to certain threats. But in terms of gaining initial access, a password plus a backup code is just a user-generated password combined with a system-generated password.