2FA recovery codes (was: Re: Migrating 2FA to a new device)

Dave Cooper david.cooper at genworks.com
Thu May 9 19:14:27 UTC 2019

Hi Raymond,

Thanks for the reminder about emergency recovery codes.  Note that those
codes are account-specific, so for example when you set up Two-factor
Authentication for a particular gitlab account, it presents you with a list
of codes which will work for that gitlab account. Google also presents a
list of backup codes, but those will only work with your Google account,
and so on (even though all these accounts have their dynamic PIN code being
generated by Google Authenticator, they each manage their backup codes

In my case when I originally wrote the email, I didn't have my emergency
recovery codes for gitlab.common-lisp.net, and the dynamic PIN on the
Google Authenticator on my old phone was not working. So I appeared to be
in a bind and in need of admin assistance. It turned out that the reason
the dynamic PIN on the old phone was not working was nothing to do with my
having migrated the Google code to a new phone, it was just because the old
phone was offline and/or its clock was not set correctly. As soon as I put
the old phone online and the clock corrected itself, the code started
working for other services and presumably would have worked for
gitlab.common-lisp.net as well (but by that time the admins had disabled my
2FA and I had already re-enabled it on the Authenticator on the new phone).

But yes, the recovery codes on gitlab.common-lisp.net will most certainly
work, in case your phone is lost or damaged. If you don't have yours now,
you can regenerate a new set of them by logging into gitlab.common-lisp.net
and visiting User Settings -> Account -> Two-factor Authentication.
Consider this a PSA for everyone to print those out and put that paper in
your secret safe place (as well as cut out a copy for your wallet).


On Thu, May 9, 2019 at 2:45 PM Raymond Toy <toy.raymond at gmail.com> wrote:

> The emergency recovery keys you created should work.  But I've never tried
> that on common-lisp.net, so I don't actually know. I've only
> used that on other sites where I didn't have my HW key and needed to login
> and I had my recovery keys with me.
> On Thu, May 9, 2019 at 11:15 AM Dave Cooper <david.cooper at genworks.com>
> wrote:
>> Hi, I just changed phones and installed Google Authenticator on the new
>> phone, and migrated my Google code to the new authenticator.
>>  But my common-lisp.net code (and some other ones e.g. Cloudflare) are
>> still on the old phone.
>>  But the common-lisp.net one (on the old phone) doesn't seem to work
>> anymore.
>>  Is there a way to migrate this to a new phone without logging in (I
>> doubt it).
>> If not, can the admin temporarily disable my 2FA so I can get in and set
>> it up on the new phone?
>> --
>> My Best,
>> Dave Cooper, david.cooper at gen.works
>> genworks.com, gendl.org
>> +1 248-330-2979
> --
> Ray

My Best,

Dave Cooper, david.cooper at gen.works
genworks.com, gendl.org
+1 248-330-2979
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/clo-devel/attachments/20190509/c8561b95/attachment.html>

More information about the clo-devel mailing list