Adventures in 2fa with a Phone Company

Roel M. Hogervorst


Categories: blog Tags: 2fa rant security

So this happened to me.

A few weeks back… I received an email from my cellphone provider. That company was coming into the century of the fruitbat (screaming and kicking) and would provide 2FA on their accounts too! That is pretty cool, and so I enabled it, like I would recommend everyone. They did not have any choice, it was SMS 2fa or nothing. (Really a poor man’s 2fa, they don’t support OTP codes or something else, but I guess sms based 2fa is better than no 2fa at all!)

Today Updated my phone, restarted my phone. enter pin code for sim card. “… fuck”. I completely blanked out on my pin code. I haven’t turned off this phone in several weeks and I have been using another phone more. So my muscle memory was gone and I just blanked.

“shiiit. "

“Alright it’s okay”, I thought “I can get my PUK code from my password manager”. Check password manager: not in there.

Alright, don’t panic I can get it from my provider!

Using the provider website

Log in on the website: username, password check. We send you an SMS to log in…. (right, on my phone, which is locked)

Calling customer service (call 1)

Alright, I’ll call customer service (with a different phone).

“PUK code”

Alright, let me try again

Calling customer service (part 2)

“Operator” (I know, let’s get to a human!)

(surely they would let me continue after this) PUK code


Calling customer service (part 3)

“Operator” (Fuming inside)


And then I finally got a person on the line. The conversation was really ok, they verified who I was with several questions. And the person on the other side of the line actually tried to understand how I got into this mess and will report it back up.

Lessons learned

Extract your valuable stuff from companies and save it in a place you control, like a password manager. Treat customer robots (actual robots, not the humans, be nice to the humans) like the garbage they are? Profit?