Have you ever thought about what would happen if you lost all

devices, authenticated with your password or your MFA system?

You had a fire that took out everything and you couldn't even

grab your phone before you left.

It was that bad.

How do you get back in?

That's what this episode is all about.

hi, and welcome to Backup Centrals Restore it All podcast.

I'm your host w Curtis Preston, AKA a Mr.

Backup, and have with me once again my financial non-ad advisor Prasanna

it

Ah, Curtis.

Yes.

I am not your financial advisor.

I am not accredited by any institution or any agency.

right, But sometimes we talk about things.

That you answer questions and then you tell me to check those answers.

Um, we had, we had some conversations about Roth IRAs and IRAs and things

today, which, you know, um, it's, it's incredibly, you know, as I.

As I progress in years, um, and I start to worry about when I'm gonna

start withdrawing from these funds and not, not be putting money into them.

The thing is advisor, non-ad advisor or not, it was from you that I learned

the whole thing about Backdoor Roths.

So I'm sure when I have questions, I will not be able to count on my non,

my financial non-ad advisor.

Prasanna,

There you go.

It's just bits and pieces of information I've picked up over

the past many, many years, and it's just something I'm interested in.

So,

uh, so this is gonna be, once again, kind of a unique

podcast, a unique episode, uh, because for the first time, We have, we're

gonna record sort of the question and then we'll talk about the, the answer.

Um, because we had a listener who reached out to us about, uh, you

know, a particular, it's like, what do I, how do I solve this problem?

And I honestly, I said, you know what?

I'm not even sure I have a good answer for that, but let's bring you on.

You know, get some, you know, get that question out there and then we're gonna

bring on someone else to do the answer.

So, uh, our guest today describes herself as an anthropologist by

training, a programmer by application, and a manager by necessity.

She's a system and network admin for her own company that her and her

husband have owned for many years.

She reached out to us with this question and I think it will make a great episode.

So welcome to the podcast, Sue Peterson.

Good afternoon, gentlemen.

Happy to have you on.

Yeah,

is it?

Well speak for yourself, Sue.

Not, not here.

Where, where are you?

Uh, are you, you said you're in Portland.

Eugene.

Eugene.

nice.

we, we had, we had over an inch of snow, um, two days

ago.

Oh,

Wet snow.

Oh yeah.

That I,

That does not

lived in places where you get that.

Um, how, how are the roads at this point?

Totally clear.

It melted

immediately.

Oh,

Oh, really?

Okay.

So why don't you describe to us this problem that you,

that you're worried about,

Well.

I'm kind of the IT department for the company My husband and

I own have owned since 40 years.

Um, he inherited his father's business, which started in 47.

So it's family business.

I've got.

On an average day around 30 ish employees, at the moment we're

running 15 trucks, I think,

although he keeps buying trucks, so I may have miscounted.

And what and what type of business is this?

it's contracting business, plumbing, business, plumbing repair,

Mm-hmm.

and I'm running the computers and I wrote the database

and we're running in-house software almost totally, um, for our, for our

business and.

Customers and everything.

Customer who owes me money sort of stuff.

And backups are important when everything you do depends on that data.

So I've been fanatic about backups since 19.

I got my first computer,

Personal computer in 1985,

Is it for the record?

That's the year I

graduated from high school just saying.

I figured I was a little bit older than you.

I was, I was trying to count that.

I still do the, I still do the ponytail.

Um, so I started doing backups then, um, at the moment I'm running

a mix of Ubuntu and Mac machines.

The servers are on Ubuntu.

I run MySQL.

So every night, let's see, I'm doing, um, Apple time machine

on the workstation that are.

Still apples.

I'm doing Authy for authorization.

As we talked, I am dumping everything to rsync every night.

I do crash plan on some workstations.

I do Dropbox and one password every night, um, every couple hours.

And then nightly, I do a MySQL dump.

It's encrypted and up and zipped and uploaded to, um, Dropbox.

And then every night that gets downloaded to my server at, to my

second server at home Decrypted.

And it's kind of a.

Yeah, test server.

And that gets sent to rsync every night.

And I was, a couple years ago, we had some issues with fires in the area and of

course we're an earthquake zone and I'm paranoid, so I'm sitting there and saying,

How do I get back into this system?

Assuming I have five, you know, five minutes to get out of

the house and down the road.

Right,

I, I, I can't grab

anything.

I'm running

for life.

And, and this include, and this also includes like your phones,

right?

Everything right.

It's not just like those

servers.

Gotcha.

Yeah.

I mean, servers, I can rebuild.

But what, what do I need with this ecosystem?

What do I need to have to get back into it?

And one password, a few years ago went to something where your phone number,

you need more than your phone number.

Hmm.

need.

You need that special key that they give you.

Okay, that key's like this long.

I don't memorize it.

Yes, I have it printed out in my safe.

Mm-hmm.

case analysis, my safe's gone.

Yep.

Right.

Now, now, now the odds of this happening are

minuscule, but you know what?

Yeah, no, this is, this is a great question because I

know Sue, we're

talking about your specific environment, but honestly, this could apply to anyone.

Like I was just thinking, like when I first heard about this question, right?

I was like, so what happens if my house burns down?

I've lost my laptop, I've lost my phone.

How do I even get into like as a user into like my Apple device, right?

And into my.

Apple account and then into my mail system, like where

do I even start to rebuild?

Because sure, I have offsite copies, but if I can't get access

to it because I don't have a starting device, what do I do?

yeah.

Yeah.

I was thinking actually, This would be, um, you know, who, you know,

who, uh, came to mind Prasanna, um, what's, what's her name?

The lady, the, the disaster preparedness

Oh

Oh yeah.

yes.

Uh, what was her name?

Um, or her name's escaping.

Uh, she, she, she came on and she's, she talks about helping people get

ready for all kinds of things like these, that she doesn't focus just

on it, but she focuses on, I think, these things that we talk about, which

is h how do you, how do you put back, uh, how do you put back everything?

The more complicated.

The more complicated.

Uh, so you're, I, so first off, I'll, I'll just say this.

I think it, it sounds like you're doing all the right things.

I mean, we might change different pieces of it, um, you know, like,

would I do it slightly differently?

Maybe?

But I like that you're, it sounds like you've got, uh, it sounds like

there's a cloud copy of everything.

Right.

Um, and it also sounds like you've got a local copy.

On this server.

Okay.

Yeah.

Yes.

Yeah.

An offsite an offsite copy, right.

But it, it, it's offsite from, from where the data is, but it's still local to you.

Um, and, and then you also have a cloud copy, cuz a cloud copy could easily

be your, the doomsday copy when this.

right.

All goes to hell.

Uh, the question will then be, and and also I like that

you're using a password manager.

We talk a lot about password managers here.

I'm paranoid.

yeah, well, as you should be, this is a paranoid world.

Um, and then also you've mentioned that you use Authy for, uh, uh, mfa, right?

Yeah.

Not for everything.

Not for everything.

Some stuff won't use it,

but

yeah.

yeah.

and and I think we should talk, Curtis, I know when we talk about the

solution, right?

This'll come up, but I was just recalling your situation.

Remember when your cell phone.

You swapped your cell phones and you hadn't done your yet.

Yeah.

well, well, that's what, that's how I ended up at Authy.

Uh, Sue, I was originally with, um, a Google Authenticator, and the problem

with Google Authenticator is when you change phones, you have to make that.

Switch over.

And if you don't, at the time of changing the phones, you

have to start all over, right.

And ma and make, uh, new tokens for everything.

And that was a giant pa and that's kind of what you're talking about, that

scenario of how do, how do I do that?

Yeah.

And, um, while you're, you're definitely more that

you're, you're, I put you in like, like the prosumer category, right?

You're a relatively small shop, um, but you're, but you're doing this

from a, for a professional reason.

Um, and, um, Oh, by the way, yeah.

And I like the fact that you're encrypting that database.

Um, I don't want to ask you too many questions about how,

how you're encrypting it.

There are ways perhaps that you could change your infrastructure

that perhaps the bootstrap.

Issue might be easier to deal with.

So for example, I, if you moved the, instead of having a MySQL database on

a, on a Linux server, if you went with a hosted MySQL database somewhere,

um, so that it was in the cloud, that

would be, and, and I'm not suggesting these changes, I'm

just saying these are, these are

Different trade offs.

you could make.

Yeah.

Different trade offs.

Right.

Um,

haven't made

By the way, here's our usual disclaimer.

This is an independent podcast, uh, and that, uh, you know, the opinions that

you hear from Prasanna and I are ours.

And also, um, be sure to rate us please.

Uh, it helps us, it helps people find us.

And, uh, by, just scroll down to the bottom there and click on the.

Five stars and hopefully five stars.

If, if you think we're one stars, then you know it's really not necessary for you to.

Um, and, um, and then also if you would like to join the,

um, uh, the conversation, then reach out to me the way Sue did.

Uh, you can either use w Curtis Preston gmail, you can use at WC

preston on Twitter, or you can use LinkedIn linkedin.com/i/mr.

Backup.

Uh, and you'll find me.

So let's just sort of walk through this.

Um, the one you, you were ta so with Authy you can back up the keys, right?

You can back up the, did we call, what did we call them?

Keys

key.

Recovery

key.

Yeah, the rec, well, they have the recovery

keys, but also you can back up the

vault, right?

Um, and then you can restore that somewhere.

Um,

tried restoring

it, but presumably it

works.

then, then the backup person in me would say that

you don't really have a backup if you've never tried restoring it.

So that would be step one.

Yeah.

So I, I think any of these things, the only way you're going to know, the way the

experience is really is to try it, right?

Is to say, okay, I'm standing here.

Um, and, um, uh, I have nothing.

I have, I just went to the mac st I went to the Apple store and he has bought a

new iPhone and a new MacBook and I have, uh, hopefully my, you said one password?

Is that what you said?

Yes,

Yeah.

So hopefully you know your one password master password.

I do, but I don't have the recovery key or whatever they

call it, because my safe burned down.

well, you shouldn't, well, again, I don't, I don't use

one password, I use Dash lane.

But the way, um, the way I would think it worked, the, the way

I would think it would work.

They have no way to get into anything.

If you lose that megalong key, they tell you to print

it out and put it in the safe.

And I think I,

I

as far as I can tell, one password is

my key.

How do I, how do I,

I, I'm

different than other,

that that's,

yeah.

I thi willing to guess that that's what I would call a recovery key.

Right.

Which should again, I'm sorry.

I should cuz I'm not a one password customer should only

be necessary if you forgot your.

Master password, I'm pretty sure, right?

Um,

password, I would not forget, but setting it up

on a

so the, by, what's your, what's your master password?

Tell Sue what's

your, um, so, but yeah, so, so the theoretically, so the, so one

password should have an MFA set

up, right?

right.

Um,

But then what's the pro?

But how do you get, and I know we're trying to,

on it depends on how mfa Yeah.

We're, we're trying to solve the problem, but I, but I'm just

sort of walking through this is sort of what you have to do.

So, and the only way you're gonna know it for sure is to go try it once basically.

Um, essentially,

when I set it up on a new,

new box, I need the secret

key.

yeah.

So, um,

so really, so you're saying that when you set it up,

Uh, when you go to use, um, one password on a new laptop or whatever,

I need that secret key.

you need the secret key.

You do.

You need your, you need your master password,

your username, and the secret key.

That's probably the equivalent of like two factor authentication, right?

You've got the, you got the one password question.

Their solution is to

give a, um,

friend

Uh, key.

Yep.

State.

That's exactly what I was thinking.

You give it to someone else who doesn't live anywhere near you.

They can't do any harm with just the recovery key, right?

Cuz they don't know the master password and they can always

give it back to you later.

But then I need to find somebody who wants that

responsibility and who is trust.

I have people that I trust

utterly, but that's a lot of responsibility to put on somebody.

yep.

You can give it the, give it the Prasanna.

He's a pretty responsible

guy.

Um,

willing to pay for the

privilege.

we'll be your we'll be your key escrow service.

Um,

not be a bad business, you know?

yeah.

Might

I seriously.

Yeah.

The um,

Seriously,

That is a, yeah.

So I'm gonna have to go research the one password thing with ay.

please do.

Um, there should be, um, there should be a, well,

there is a way to basically move your authy vault onto another thing.

Most of the MFA stuff for, for this level of, of stuff is often built into

a device, which in this case it would be your new phone that you just bought.

Because, right.

And so you'd have to see what that looks like.

Um, so just grab your husband's phone and set it on fire

and then, um, you know,

see

see what

that's like.

See how that, see how that goes.

Um, don't do it to

talking about getting a new phone

if he wants.

If any of you get a new phone, this is the time to try to think.

Right?

So with Athie, What I know that is Authy recommend.

So it regularly backs up my, my Vault and it regularly asks me, prompts me to, um,

for the password to that vault,

drives

which I also store in, um, in Dash

Lane, which I'm not using othe for.

So, so by the way Dash lane, the way Dash lane works is, um, That they

would need, they would, they would send, uh, like if everything was

dead, they would send a text to my phone to authenticate that device

for, um, for that you would need the password and be able

to respond at that number.

Um, now I, now I gotta go.

I gotta

go find that out.

I gotta find that out for my

own thing.

Well, and this

is the thing,

is why I really like the

of it.

Yeah.

I think you guys got me down this rabbit hole.

Yeah.

Yeah.

Well, this

is, this is

what's, so you got, we got you thinking about it.

Now you got us thinking about it.

I, I, which is why I thought this would make a great episode.

Everybody should think about this.

Think about the stuff, the, all these key managers that you have, right?

So you have things like othe, Google Authenticator.

Um, you know, one password, hopefully not last pass.

Um, because of, you know, all the, all the fun that they're going through right now.

I think we've got a good idea of this problem for sure.

Um, so now we just need to go get the solution.

Uh, so we talked about, so we have crash plan, we have Dropbox, we

have one password, we have Authe.

Yeah.

Um,

And ay are my

yeah.

R you're talking ayq.net.

Right.

yes.

Yes.

Sorry.

Okay, so you're, you're, so, just, just

to make sure I understand, you,

you are an ssy.net customer because

of this podcast.

It is your fault.

Do you hear that people over there

we're just making money left and right for other people?

Well, with that, Sue, uh, I want to, uh, thank you very much for coming

on and giving us problems and, uh, and, but you, you have to wait until

we record the answer episode and then we'll put it out and then you'll

have the answer to all your problems.

I I certainly hope so.

I think we need to bring on Daniel, what do you think?

Um, you know, yeah.

Uh, you know, he, we, we've talked about him a lot.

We've had him on the pod.

Uh, he, he's an interesting, he's an interesting individual

that, uh, you know, he is, he.

You know, he's professional.

He's a marketing communications specialist, but he also loves backups.

Uh, he's, he's, he lives in Israel, but he has an Irish accent.

Uh, he's been, he's been a guest on the pod.

You've heard if you list, if you're a fan of the pod, you've heard

us reference him a time or two.

Uh, it's our very own backup anorak Daniel Rosehill.

How's it going, Daniel?

Hi Curtis.

Thank you for having me back on the podcast.

You know what, uh, we're super, we, we talk about you all the time,

I think I name drop him.

Yeah.

Anytime.

It's like, hey, we should be like, I think you've come up so many times

with when it comes to MDIs, right?

I know you're the one who sort of pointed us in that direction, been

like, Hey, have you guys heard of MDIs?

Right.

And for archiving.

the way, Daniel, our single most popular two episodes

are the one where you and I I talked about M disk and when we had the,

the founder of M Disk on there.

I'm, I'm, I'm, I'm actually com completely flabbergasted to

hear that because I, I've been working on the assumption until this point that I'm

keeping, I'm, I'm the sole reason that the m disks are still being produced.

Keep keeping the company in business.

You know, it is interesting.

There are those who are like, oh, this is the greatest thing ever.

There are those who are like, oh, well it's just the same as that.

And there are those who are like, good.

It's complete nonsense.

And, um, it is, it is.

Um, It is concerning, right, that there's just like one vendor that's producing

the disks and they could decide tomorrow they're like, for some reason we sell

a whole bunch of these in Jerusalem.

But other than that, we don't sell very

Stockpile stockpile.

It's funny.

So Daniel, I started thinking about, okay, what should I

be doing for my data as well?

And started looking at M disk and went down that rabbit hole and.

I found a deal on Amazon because I was like, most of the time

they're fairly expensive.

I ended up ordering it.

You have to be really careful because a lot of times you'll end up with

Blu-ray discs and not M disk, which are two different types of media.

You really want the M disk for your archival media, and so I have not

continued down and found a deal yet, so I am waiting to back up my data.

Interesting.

I, I, I think we were talking on, on Twitter Prasanna as, as we sometimes

do, and, uh, I believe you're asking me whether I have a backup to the writer.

And then I realized there was a, there was actually a crucial gap

in my m disk, uh, backup strategy.

Um, but as, as, as, as Curtis mentioned, the m disk is the

most unusually polarizing topic out there, like people on.

Spread for whatever reason, are convinced that m disk is nonsense.

I, I, I haven't yet seen anyone really sort of come with cohesive proof to

say why MDI is, uh, is, it's all, its claims are false, but there does seem

to be people out there with vendetta.

I think Curtis has noticed the same thing.

So I, I'm mostly just leaving them to, to be.

Yeah.

Well, I think, I think you pick any topic and you go on Reddit, you will find

somebody who thinks that topic is Right?

So Sue has given us this question Prasanna.

Uh, it's the whole, you know, we're calling it the bootstrap question, right?

we always talk about, yeah, how do you get your data back?

But it's like, what do you do before you could get your data back?

Like what's step zero?

Well, if this was, I, I think we can agree that if this was a company

that we're talking about, um, and she is talking about a company, right?

Um, she she was talking about right,

yeah.

She was about come.

Yeah, but I.

was a company that we're talking about you, you should absolutely be

having this conversation and, and I would think it would be easier to

have for a company than for a person.

it because I know we that will.

I think the challenge with the company is you don't necessarily know where

all your data is or all the systems, you kind have all these siloed groups

who have different responsibilities.

So I know Curtis, you and I had previously talked about a shipping

company that got hit with ransomware.

Right.

And they lost active directory servers and they didn't have a backup of those.

Right.

And they just happened to find one system that.

Was out of sync.

Right.

I believe was the case And was able to recover that.

Correct?

Yeah.

Yeah.

Well, yeah.

Oh yeah.

That, that was the, that was that, that huge hack and basically they, it, it was

a, it was a, it was a fortunate storm, so it was a storm had taken one of

their active directory service offline, and so it wasn't online when someone

hacked and destroyed active directory.

And so, but they didn't have a backup of ACT directory, but they

just had one domain controller that was offline, thankfully.

And they were able to bring it back on and, you know, and then

they went, and then they went out.

That's just a crazy, crazy story.

Um, I, I think what I meant, and, uh, Daniel, you know, jump in here, um, what

I meant was, There are pro if you don't know where your stuff is, you're right.

Prasanna, and, and, and probably it's, it's, it's easier to not know where

your stuff is if you're a company, but there are products that you can

buy and there are, uh, usually Right.

Um, cuz I just got, I just got done editing the last pass episode where,

you know, I was really hard on them for using a homegrown backup product.

And you were saying, well, Sometimes that's all you can

get even when you're a company.

But generally speaking, there's a product that you can buy or a

service that you can buy, and um,

There's,

of buying the right products and services.

also the other case that those tools are usually intended for having multiple

people administer a system, right?

So, unlike right, like you're gonna, you're not just gonna trust the entire

keys to your kingdom to one single person, right person that sits by a bus.

What do you do?

Great.

it always that?

Why can't it be they won the lottery and moved to Bahamas?

Nah, because then that makes it why is it a, why is it always gotta be Daniel?

I don't know.

What do you, what do you think here?

I mean, you, you, you heard the, you heard Sue's question.

Um, you know, how, how ba how bad off are we here?

Well, Curtis, I, I think the situation is probably

best described as catastrophic in the world of personal backup.

There, there is absolutely nothing and, you know, unless you take sort of

active personal protection measures, uh, you know, all your data just sitting

out there in the cloud, and I think the scenario Sue was talking about is

something that could, I mean, it could happen to anyone in any personal context.

Right.

I've, I've certainly been.

You could, uh, get drunk and your phone falls into the, the river or the sea, cuz

I know you guys are on the West Coast.

So really if you spend your time thinking about it, this is really

sort of a fast track to insanity because you realize how ter incredibly

vulnerable, pretty much all of us are.

And it's just a case of how can you reduce that vulnerability just a small bit.

Thank you very much.

Everybody come in.

Take I, I thought maybe you'd give us a little bit of hope,

Daniel, that that sounds bad.

Yeah.

I mean, it, it, it's a, it's a bad situation, but, you

know, I think that the, the backup anac community right now is, is very small.

But, you know, you guys doing this

podcast are spreading, spreading awareness, and I think it, it's

gonna take a lot more people asking questions and poking flaws in the

sort of backup and recovery approach of a lot of these, um, a lot of

these companies, you know, especially stuff like two factor authentication.

Now that it's sort of so essential.

Um, but there are still some services that, you know, you really, if you

get locked, it's quite easy to get locked out of for good and that kind

of huge ramifications for people.

One of the things, just speaking about that, right?

So after talking to Sue, I started looking and being like, Hey, what do I do?

Because for me, if I don't have access to my Apple id, everything kind of breaks.

Right.

And so I was like, how do I get access?

And so I looked and about 10 years ago I'd created a recovery key because it was like

a 20 digit key that Apple had at the time.

Turns out they no longer use those and they never tell you about it.

So, but luckily with newer versions of iOS, you could actually create

a recovery contact, which a lot of other services use as well, right?

Where you can say, Hey, if I don't have access and I can't do two-factor

authentication, here's someone else that I trust that you can send my key to.

Or at the code two verification code, and then I can get it from them.

So it's not like you're, because I know Curtis, one of the things

we've talked about is, Hey, you've lost your phone with Sue, right?

It's like, Hey, you've lost your phone.

You can no longer get two-factor authentication.

How do I even get into my password manager in order to be able to

get that first bit of data back?

Right?

The password.

So then I can actually get into my actual data vaults.

Well, the, the one with the, the password manager, I feel was

the one where, To me, that's where it all starts for me personally, right?

You talked about I need Apple, I need access to Apple, and I agree, right?

I need access to Apple, or I need access to this service and

that service and that service.

Well, those are all passwords.

That without my password manager, I am gonna have no idea how to get into Right.

And in order to, for many of them, I can recover my password if I can log

into Gmail, which I won't be able to log in without my password manager.

Right?

So for me, the password, I, I think the password manager is where you start.

And um, and I think that's what concerned me most about Sue's

story was that she needed.

What was it that she said she needed?

it's, it's two things.

So it's a key file and it's the password,

right, so she actually has to, she has a

file that she has to back up.

So to me that's a catch 20 for the thing that starts all the things.

What do you think, Daniel?

It, it seems like that's a catch 22.

That's unacceptable.

Right.

I think that, you know, um, what Prasanna said is, is, is really essential for

anyone looking for a password manager.

So I don't, uh, you know, Don't, don't, don't try to hack me after this, it,

it may be true that I use Bit Warden and I was looking at sort of what

options they have for recovery today.

It's one of these, it's kind of more geared towards open source and whatever,

and they have, it's pretty decent.

You can sort of configure an email address and a phone number and you've

got various layers of recovery.

That if you get locked out.

So that's one of the better ones.

But I've definitely, I know there's a lot of password managers on the

market, especially when you're talking about sort of Sue's situation, more

complicated ways of authentication.

You'd see in the enterprise environment, uh, you know, you need to have these,

because, you know, if you're sitting in a hotel room trying to get access in

a different country, it's just way too complicated to go fishing out sort of.

Uh, key files or credentials or, or code samples.

It's just not gonna happen.

Um, the, the other thing that, you know, I, I was thinking, uh, Curtis, as you

mentioned, the sort of password manager as being the basis, uh, for everything.

And I think the other.

Thing that we're seeing at the moment in personal IT world is with this, uh,

you know, single sign on that you create accounts with services through your

Apple ID or Google, and that's making the Google a choke, a choke point that

if you got locked into your Google now you got locked out of everything.

So it's a big vulnerability.

I actually ran into it.

I was traveling two years ago and I got locked outta Google because I

was logging in from different hotels in the us and it, you know, it,

the IP pattern detect flagged me as a whatever it thought my account.

And it was a really, really difficult, uh, situation to get my account access back.

And if I didn't, it just kind of occurred to me that, okay, it would've been

locked out of Google, which would've been catastrophic, would've lost all

my emails, all my calendar, everything.

I also would've probably been lost.

Locked out of everything that I authenticated through Google.

So the password manager is crucial and uh, whatever that sort of second

layer is that you're authenticating different services through is

also

That's an interesting point that you brought up, uh,

Daniel, because I had recently started thinking that maybe because I have

like 700 accounts, On various websites.

And I started thinking that maybe I should use the Google, you know,

just log in with Google, uh, instead of having yet another account.

And I never really thought about the fact until just now, because like if

this happened with Okta, If you were a company, and this happened with

Okta, you have a tech support line that you can call in and you can say,

Hey, I'm paying you, you know, this much money a month for my company.

Fix me.

Right?

But this is your free Google account.

You know, there's, there's, if you get locked out, you can get locked out.

You know, there are stories of people that get permanently

locked out of accounts like this.

Uh, and that, that is a real mess.

So I, I think so.

I, I think you brought up a really good point, Daniel, but let's, if we go back

to the password manager, I think that, um, uh, you, you, you mentioned Daniel,

you mentioned of like, if this is for a, maybe a company where you might

want to have a second level of mfa.

Uh, uh, I just, I, I think because the question here is,

Is that doomsday situation where you've lost everything, right?

You've lost your phone, you've lost your servers, you've lost your

computers, you've lost whatever, and you have to start from scratch.

Right?

To me, there's definitely a fine line between, at some point we do

want to able to authenticate, and it just sounds like in Sue's situation.

That her password manager has a catch 22 that if she loses that file, she will

never get back into her password manager.

Doesn't that, that just seems wrong to me.

Yeah, I mean, I've, I played around with, with, uh, with

a few different pastor managers, but I think that that's, that's key

is the sort of recovery functions.

And I think that if.

Anyone building a password manager for the enterprise or for personal

it use has to think about these sort of catastrophes, right?

I mean, it's a product made for backup and disaster recovery.

It's, it's in the name that you should anticipate they're being disasters,

uh, like, like the phone falling into the, so, um, I think that any,

any backup, any password manager.

I use one I like.

I also used Oy for a while.

And actually it's funny, uh, Curtis, I had the exact same situation that you did.

Um, I don't want to sort of disparage Google Authenticator, but whatever.

I got into the situation like you did that I had to manually recreate

every single two factor key.

Um, and I was like, how is this not a feature that Google Authenticator

can back itself up to some file, which you could recover from?

And then I.

You know, a search got me onto Oy, so it's weird.

You, you, I think you kind of have to sort of audit all these systems.

Like that to me is just such a no-brainer feature.

You'd expect someone on Google will be like, well, we need to

like roll out a backup thing.

Yeah, I, I think I still wanna go back to.

The shared responsibility, right?

If you can find someone else, like in Sue's case, right?

If she had another IT person, right, who had the same access, and it doesn't

have to be the same credentials, right?

They could have their own key file, whatever else, but have

access to the same vault, right?

They could then help her recover, right?

And so I think always having that, and now I know in the personal side it gets a lot.

More difficult because no one ever thinks about that, right?

No one's like, Hey, I need to make sure this other person has access to

my data as well in case, and that's why many of these cloud providers, right,

apple, Google, meta, right, they're all either doing recovery contacts or

other mechanisms because they realize that people are getting locked out.

And it's hard to differentiate between sort of locked out because

of access, like an account takeover process or locked out because I forgot

something, or I did something incorrect and got locked outta my account.

Or forgot the password.

Right.

Yeah, as long as I, I, I just, there are, there you, you

need to think about the scenarios that you're trying to protect from, right?

Lost phone, uh, house burned down.

Um, and you need to, you need to go to your vendor.

While your house isn't burned down and your phone isn't lost, and say, what

is, I think this is my general right?

You just have to work your, work your way back from, okay, so I

have my servers backed up with this technology, whatever it is, whether

I think it should be a cloud service.

The smaller you are, the more a cloud service makes sense.

Whether you're, whether you're, I mean, if you're, you know, if you're a giant

company and you got 50 exabytes of data, it's gonna be a little difficult

to back that up with a cloud service.

But if, if you're, you know, on the opposite end, if you're one person

with one phone, super easy, right?

So, so the closer you are to one person, one phone, uh, the easier

it is to back up, uh, via the cloud.

And, uh, anyway, I digress.

Pick the thing that you're gonna.

Back up with and then say, okay, I'm gonna back up with this.

And, and in a, in a wipe out scenario, I'm going to, I need, I'm

going to, I have to restore this.

This is my, this is my, whatever it is, my most important thing.

And what do I need to restore that?

And then, You say, okay, I need, well, all I really need is my password.

Well then now it's the password manager is the other thing, is the next

thing that, that I have to do first.

And if in the case of Sue, you need two things to recover your

password manager, then how do we get those two things protected?

I think that makes a lot of sense and I think that, uh,

people who are really interested in this personal protection stuff can take

a lot of cues from what, you know, the stuff that you guys are doing in your,

in your jobs, working in the enterprise professional environment, right?

Because.

You guys have stuff like recovery plans that are documented and

everything is sort of planned.

So I think probably a useful thing for anyone to do, as you said, Curtis, it's,

you know, all this stuff is really, really about preventative, right?

Once you're in that situation, if you're trying to speak to a human

at Google, you're already in a world of pain and frustration.

So you know what someone could do.

Let's say listening to this podcast is say, What would

happen today if I lost my phone?

Right?

So how are you gonna get access back to your, uh, to your, uh, to your

passwords, to your two factor credentials if they're stored in different apps?

Um, and you can even just, you know, open a Google Doc and write out a

little recovery plan for yourself based on all those scenarios.

Um, I don't, I don't really have any thoughts on sort of when it's too late and

you don't have a good system for recovery because, you know, as, as I've experienced

and so many people experience, It's surprisingly easy to get something like an

IP hopping block, get locked outta Google.

There's no one to speak to.

Uh, so it's really, you know, if you're depending on these services,

you really need to be one step ahead.

Uh, and I think something like sort of a, a, a plan, uh, as if you were a backup

admin for a company, uh, documenting it is, is probably the best approach.

I, I was just as you were talking about this, Daniel,

I like the document effort.

Right.

Or exercise, because that way you can try to identify Okay, where are there gaps?

I was just going back, Curtis, do you remember, uh, the person we had

who talked about disaster planning?

Right.

And this is more from, uh, environmental disaster, right.

Situation.

Right.

How do you protect your envi or

Virginia Nichols, the single Most animated guest we ever had.

Yes.

She focuses on the stuff we don't focus on, which is, you know,

how do you get, you know, how do you get services back, right?

How do you get the, the things that you need as a human being?

Uh, you need all that stuff first.

And so she probably, Is better at thinking of those of the,

of the catch 22 situations.

You're right.

Yeah.

That's a good episode.

We'll put, we'll put a link to that episode

and I was just thinking also like the same process

she had talked through, right.

That applies even for all of these like technology and your data as well.

Right?

It's just a subset of that.

Right.

Because I know she talked about, do you have your passport?

Do you have cash?

Do you have gas in your card?

Do you have food?

Right.

All these sort of essentials, if you will, right.

Life essentials.

Now we're just going down to the next level.

It's like, okay, now your data, how do you get your data back?

I think Curtis is also, um, probably something in that as well,

that it's very difficult when you're trying to think of stuff like, you know,

disaster recovery and, and the things that we don't wanna think about to

actually do a good job, uh, with yourself.

And maybe, maybe that's another thing that, that, you know, people could do

is actually, maybe let's say you have a partner or a wife or whatever, you

could, you could sort of go through these scenarios to one another.

If you, if this happened to you, what would you do?

Um, rather than just kind of trying to envision all these possibilities yourself.

Fun, fun, uh, dinnertime conversation topic, right?

yeah, I think, I think, you know, a good time.

I, I just had this idea a good time to test your , your idea.

So you get your idea and you get a plan.

A great time to test that plan is, when you get a new device, right, you

get a new Mac, you get a new iPhone, you get a new Android device, you

get a new pixel, whatever it is, at that moment, you can pretend like

you just lost your phone, right?

Because, because they make it really easy when you buy.

I know, I know I haven't had an Android for a while, but I know when you get

a new iPhone, the easiest way to move over to a new iPhone is to, um, Just

have the other iPhone and it'll transfer the data directly from that iPhone.

And I'm saying don't do that.

I'm saying, um, pretend like you lost your iPhone and see what

recovering that process is like.

Um, I think that in the case of personal password managers or very small business

password managers, where it's a single person in a single account, you will,

um, there has to ultimately be a person.

Who is the, the MFA sponsor?

So with a typical password manager there is like, for example, my wife and I

share a password manager for a while.

We were paying for Dash Lane twice.

And then I realized, well this is dumb.

We, you know, it's not like we need to keep account secret from another.

So, so we just have one dash lane account, which is also how I ended up having

700, 700 accounts cuz you know, there's all her accounts plus all my accounts.

But,

that she has and then the 650 you have.

do you

is this the truth, Curtis, are you, um, are, are, are,

are you hiding something from us?

Is there, is, is there a secret site Password manager?

there's just, there's just a lot.

There's a lot of accounts out there.

I don't know.

I don't know why I have so many accounts anyway.

I have, I have to actually say that, that that

is a really, really good idea.

We're, we're, we're, we're talking today about sort of

like advanced stuff and Right.

If, if we have a recovery, that's the most sort of simple but effective way of

delegation is just to share an account.

I, I also share some credentials with my wife or like, Netflix, whatever.

And, you know, if someone's in hospital or asleep, that that's, that's

actually a great, a great system.

Um,

I mean, and of course you can also have your joints.

If you have a partner, a spouse, it's, it's super easy to do.

And then, uh, even a friend, it's just gotta be a really good friend, right?

Cuz you're not gonna keep any secrets from him.

The, the, um, but my point is that there is an ultimate arbiter of the account

and this, and, and in other words, my phone number is the one that is the.

If, if all, you know, if the feces hits a rotary oscillator and we lose

both of our, uh, devices authenticating from the very beginning, it would

have to be done with the phone number that's attached to the account.

Right.

Um, and the email address that's attached to the account.

And that one would be mine.

Right.

Um, but

your phone, you lost your sim, you don't have you got

locked out of your email account?

Well, well, it would have to be both of us because my wife

could authenticate if I got a new device, I could easily authenticate,

um, with, with my, because what the way it worked, their MFA with Dashlane,

it pops it up on other devices that are currently running Dashlane.

Right.

But we'd have to lose all devices.

So in my case it would be, I'd have to lose my laptop, both phones, the iPads.

This would be a very bad day for the Preston household.

So really that's what it comes back to, that that, that basically goes

back to what I said before, is decide what your ultimate sort of final or

begin, you know, it's the final thing, but it's like the beginning thing.

In a recovery scenario, what's the thing that you're going to use?

Is it an email account?

Is it, um, your othe password?

Is it your password manager?

Password?

Um, figure out what that is.

Pick the thing that you're gonna do and just remember, you've got to remember

that password, uh, to that thing.

Yeah.

And that, that's kind of what I do.

Like when I was talking about my Apple environment, right?

That's the one password.

So I know two passwords, my apple password and my password manager password, right?

Those are the two passwords that

that's what I have.

Yeah.

Uh, but.

do you guys think, do you guys think that there's any possibility

that in like 10 years time we're gonna have like, implantable chips with like,

you know, human based authentication?

It's gonna be biometric.

There's no silver bullet here.

But you have any final thoughts?

I think the conclusions, um, we've, we've come

to make a lot of sense, Curtis, that.

Um, you know, it proactivity, uh, going in ahead, thinking about it beforehand,

thinking, I like the idea that, you know, you're, you're gonna write the dash lane.

Um, and actually sort of like ask hard questions of these people because that's

what their, you know, support teams and customer success teams are, are there for.

Um, and just putting the thinking in before you get to these problematic

scenarios because I think no one wants to be in the position Sue was

in, uh, trying to deal with recovery cuz it's just so much more messy.

I'm I'm trying not to be too, too decisive cuz I'm gonna get an email

in like six months being like, I did what you said and I'm locked out.

Well, and so, and so, Daniel, for this, for this, since you

brought up that point, I would say the one thing is once you've thought

of it and you've documented how you would recover, go test it out, right?

Make sure it actually works.

Make sure that you don't have any gaps, right?

That you can recover.

And I like your example, Curtis.

Imagine that you're starting from a clean slate, right?

No devices, nothing.

What do you do?

You know, another way to do that is if you're like me, you

have a couple of old phones sitting around, um, take out one of those

and pretend it's your new phone.

And then recover, pretend that your other phone is completely dead and you're

not allowed to reach to your phone.

Right.

Um, that's, that's the only thoughts I have.

I'm gonna just gonna go back to what I said.

Just work your way back from, I have to recover this, so recover this, I

need this, recover this, I need this.

And ultimately, just make sure that whatever that is,

you have a very easy plan.

To get that back when, you know, the, the, whatever the worst happens,

uh, that could possibly happen.

So.

Well, I'm glad, I'm glad we had this conversation.

I'm, you know, I'm not sure we had good answers, but I, I think

this is a good planning question.

Right.

What, you know, this is a, like you said, being proactive.

Daniel, uh, you know, I, I agree with you, Daniel, your general thoughts.

Which is, there's not a lot of good options for consumers.

There's also not a lot of good options for small businesses.

Like, like truly small.

What I call this, this is a Curtis category.

You know, we have the SMB category, right?

The a Curtis category is called the tsb, the, the truly small businesses, right?

Right.

So the literally the mom and pops.

Um, there, there's not a lot of options there.

Uh, but there are services, right?

That are, I've been testing one.

Uh, we'll talk about it later on, on another, uh, podcast.

Uh, we'll talk about it later on another episode.

And, um, there's, there's no perfect answers.

I hope we helped Sue.

Um, you know, I, I'm sure

I just wanna also make clear, Curtis, that the advice offered

here doesn't come with any warranty.

So any,

any, anyone, anyone who actions, any advice they heard on this, on this

episode or the podcast in general, absolutely should not, uh, reach out

to any of us by email with complaints.

You're, you, you, you are on your own.

But, uh,

You're on, you're on your own, and you might not be able to

reach out to us via email because you don't have your password to your email.

Uh, so with that, um, I want to, uh, thank the listeners and remember to