What to do when you lose your TOTP seed

Jul 24, 2020  - written by  in Domain names

How to deactivate two-factor authentication

No matter how long and complex it is, or how frequently you change it, you shouldn’t rely on a password by itself to protect your most sensitive online accounts. For keeping your valuable domain names safe, we recommend not just using a strong password, but activating two-factor authentication.

If you can’t use some form of webauthn compatible authentication, like a universal two-factor authentication USB key, you can use timed one-time passwords with your Gandi account.

To set up timed one-time passwords or TOTP, it’s most common to you download an app on your phone that stores a “shared secret” (a 16-character encoded “seed”) and generates one-time passwords based off of that shared secret and the current time.

But what happens if you forgot your phone at home? Or it got stolen in the subway? Or you dropped it in the ocean?

Well, once your phone is gone, your shared secret is gone with it.

So are you locked out of your Gandi account forever? Not quite. Here are three ways to get access back to your Gandi account safely and securely.

1. Fill out the form

In the past, the only way to deactivate TOTP authentication on your Gandi account was by completing this form.

If you don’t have U2F set up or recovery codes, this might still be your only option.

Whenever you need to use this process, it’s important to remember that Gandi takes account security very seriously. So when a user activates TOTP, or any form of two-factor authentication, we won’t deactivate it and allow entry into the account unless we can be sure the person requesting it is the owner of the account.

Along with this form, you’ll need to submit proof of identity, and Gandi will conduct further verifications of your identity before giving you access.

Obviously, this is not convenient if you need urgent access to your account. That’s why, if at all possible, we recommend the other two methods outlined below.

2. Use universal two-factor as a back up

If you’re more comfortable using TOTP as your preferred two-factor authentication method, you can use universal two-factor authentication as a back up.

The most popular method is a USB key that you insert in your computer’s USB drive and press a button to validate.

One thing we’ll note is that since this type of two-factor authentication is actually more secure than TOTP, and can often be easier to use, we actually recommend that you use universal two-factor authentication as your primary two-factor authentication method and use TOTP as your backup instead of the other way around.

Either way, combining both methods is a good way to give you a way into your account through two-factor authentication if you lose or otherwise can’t use your main two-factor authentication method.

Activating Universal two-factor authentication (U2F)

You can use any device that uses the Webauthn standard to activate universal two-factor authentication at Gandi. This includes some devices that might be built in to your computer, like the Apple Touch ID, which lets you use your fingerprint to authenticate.

After you make sure your browser supports it, click “User settings” under your username when logged in to your Gandi account.

From there, go to “Change password & configure access restrictions,” and then “Manage your security key authentication” and follow the instructions to “Add a new key.”

3. Use recovery codes

Now when you activate TOTP at Gandi, we provide you with a set of recovery codes. This makes it a lot easier for you to get access to your account in case you lose your phone and can’t use TOTP. And even better, you don’t have to rely on our team to verify your identity.

Recovery codes are special codes that we’ll provide you when you activate TOTP that you can enter instead of your timed one-time password when you log in.

If you don’t have TOTP activated yet, you’ll get yours when you activate TOTP on your account. If you already have TOTP activated, you can only get recovery codes by deactivating and then reactivating TOTP on your account.

Deactivate (and reactivate) TOTP

You might need to deactivate and reactivate TOTP on your account not only to get your recovery codes if you don’t have them, but when you use them as well. Once you’ve logged in using your recovery codes, if you have a new phone, you’ll need a new TOTP seed.

The TOTP settings are in your account’s “User settings.”

From the user settings, click “Change password & configure access restrictions.”

Then click “Disable TOTP.”

To activate TOTP, click “Enable TOTP,” read the instructions to complete the activation and get your new recovery codes.

Keep your recovery codes safe

Finally, when you get your recovery codes, it’s important that you store them safely and securely.

Write them down, put them in a ziplock bag, and bury them in a metal box in your backyard, put them in a safety deposit box, write them in sharpie on the underside of your mattress, tattoo them on your scalp and shave your head when you need them, whatever you have to do to keep them safe.

We don’t however, recommend storing your recovery codes in a password manager, especially not the same password manager you use for your Gandi account password. Why? Your recovery codes are used as a back up second factor authentication. If you store your recovery codes with your password, and your password manager is breached or the database is leaked, you’re as exposed as if you weren’t using two-factor authentication at all.

UPDATE 7/24/2020: A Twitter follower also pointed out there’s another method you can use to get access to your account if you lose your seed—back up your seed.

Here’s how it works: when you activate TOTP at Gandi, for example, you’re asked to scan a QR code which actually contains a URL. The URL looks something like: otpauth://totp/LOGIN?secret=1234&issuer=gandi. The key part to retain from this URL is the part after ?secret. This is your shared secret, or seed, and you can save this in the same way you would save your recovery codes above.

The method is worth mentioning because not all providers will give you recovery codes, so for those who don’t, you can save it this way and safe-guard it the same way we describe for recovery codes above.

 

In the end, if you want to keep your account safe, and you don’t want to sacrifice convenience for security, using TOTP is a good way to secure account. Even better, you don’t have to lose time getting your identity verified if you use a back up form of two-factor authentication, like U2F or recovery codes.