I have often worried about this too. But I wonder if somebody breaks in and resets the codes it may not go into effect until later. I know Microsoft accounts are like that with recovery emails. For example my dad passed away and I had his password but his recovery email was another email which I changed to be my email, but the change took 30 days to apply. Maybe it's the same with recovery codes? So if you get locked out, as long as use the recovery codes within 30 days they will still work, regardless of what the hacker does to change them. Not sure if that's how they work though.

@@TomO-nx1bd Thanks for the feedback, and Sorry to hear about the passing of your father. That's a good process to have a waiting period for changing an alternate email. I still haven't really found the answers I'm looking for, as it seems there really isn't a sure fire way (yet) to easily gain back control of an account from a malicious user when a user's email was compromised. Some say, to allow verification with security questions and answers, and ID, some disciplined in security say not to allow work arounds, as that defeats the purpose of the backup codes. Which I believe for example, Gmail only allows a one time creation of. I ask 4 different security "experts" and get 4 different answers...

@@TomO-nx1bd And the person in this video never even responded.

whew!!

When it comes to Business accounts and company owned devices Passkeys are going to be useful. I have had an account hacked several times and the only thing I trust is something that doesn't rely on wireless technology. Anything wireless is more hackable then something in your pocket . A physical device that I can take from one device to another is better then one installed on a single device . I don't like or trust cloud serves either for a few reasons. Passkeys can be used on Devices with TPM or TEE elements for added security. The more walls and encryption you put up the harder it is to be hacked. The TOR network works this way.

I'd rather have a physical passkey than one that's tied to a phone - even if I'm not uploading that passkey as a cloud backup, a phone is more likely to get stolen than a little flashdrive I've hidden somewhere.

Great idea! I definitely don't find carrying two phones to be practical every day but do keep authenticator apps duplicated on my old phone. However, since time based codes can be stolen, the hardware tokens are still stronger since there is no human-readable code to be typed in.

This entirely depends on the crypto exchange. I would suggest going into your security settings and checking if there's a way to turn off 2fa, remove your key or authenticator app, then start over.

Yes!! I'm working on a video tutorial!

@@ShannonMorse Thank you! Can’t wait to see it! 👍👍

Well, the whole point of 2-factor authentication is that one of the factors is something that you *physically* have to have with you. As such, you are going to need to carry that *something* with you. Now once passkeys become prevalent then your physical phone or PC can act as that second factor and conceptually replace a Yubikey for logging into online resources. This is more secure than 2FA SMS authentication because although SMS authentication does require that you have physical possession of your phone to receive the SMS, the SMS itself can be redirected to different phone through a SIM swap attack. With passkeys though, your phone is immune to SIM swapping attacks because the cryptographic key is securely stored on the device itself, rather than being associated to your phone through your line with your wireless carrier. Passkeys are a pretty ingenious invention and hopefully they become more widely used.

This is a solid reply, thanks Max!

@@MaxPower-11 SIM swaps are rare, much rarer than youtube experts would have you believe. And new FCC rules now require all carriers to support Number Lock. Authenticator apps are not "something you have". If you have the seed value or QR code, you can set up 2FA in as many apps or devices as you want. You could have your auth codes being generated by many different people on many different devices at the same time. And you wouldn't even know it. At least with SIM swap, you will know it because your phone quits working.

@@reefhound9902 I was clearly talking about Passkeys (specifically, device-bound Passkeys), not TOTP-based authenticator apps (which is what you are reffering to).

@@reefhound9902 I am clearly referring to device-bound Passkeys, not Authenticator apps (which is what you’re referring to).

Technically I have like 12 :P