Keep your 2FA recovery code, because Prey will not help you if you don't!

Hi all, I am writing this as a disgruntled customer who stopped (or rather, unable to) using Prey for about one or two months.

Long story short, my story goes like this:
I have been using Prey before stopping for about more than one year, and I was a university student before I graduated recently and decided that it would be better for me to start using a password manager to manage all my account passwords (because well, soon to be working adult and it’s time to be more responsible with my IT habits), so that I do not log in to anything with just a same password, and also, I can manage and store other things in a data entry of my manager like my 2FA recovery codes, my 2FA secret key (used to set up your 2FA for an account the first time, which can also be represented as QR code, for those who don’t know)

About three months ago, because I only set up my 2FA on my old Android phone when it broke down, didn’t set it up as well (with WinAuth on Windows and Chrome plugin on Linux for those who are interested in setting up) on my Windows/Linux dual boot laptop, I lost my only 2FA access (and hence the only possible way to retrieve the secret key Prey gave me to set up 2FA). I also have never thought of keeping my 2FA recovery code email (not to be confused with the secret key) one year ago before my phone went down, when I first set up the 2FA for Prey.

As a result, I cannot login to Prey even after resetting my old phone, and also obviously when I just re-contracted last month for a new phone with my telco.

But the true nightmare really begins here, which is why I am writing here, and it’s about just how ridiculous Prey developers can be.

We are given an option of “lost your mobile device?” when we log-in, if we have problems with our 2FA. So I went there hoping the recovery code will arrive to my email.

But the email never came.

So I found Prey on Facebook and used the Messenger to contact the person-in-charge, Fabián.

And heck, how unhelpful it was. You guys can see the next post I am posting below to see what happens. Basically, he said he cannot help if I didn’t keep my recovery code I have gotten a year ago. But that was after a few days of nudging, and before that, I thought there should be no problem retrieving it again, since he still asked for my email before that.

So I am posting here hoping the developers will catch glimpse of this problem … you guys might as well remove the “Lost your Mobile Device” function altogether and put a red warning sign for those who has just newly set up their 2FA.

And fellow Prey users, you’ll essentially lose your account if you don’t keep your 2FA secret key properly, and you cannot really delete your Prey account easily since they are not always fast in responding, or they may say they cannot help you again, especially if you are worried the Prey account itself can be misused.

And oh, already given my 1-star rating on Google Play until this is fixed. And out of my paranoia, I have removed all the Prey executables from my 2 OSes on my laptop.

(See next post for my correspondence with the customer service)

(Note also that Fabian stopped reading until his reply, as shown in the last read logo to the right of his message, and he never read on since)

I decided to post this topic here after knowing the Prey has just newly set up the help forum, and I just got the email telling me they haven’t heard from my laptop for a month. I hope this topic will help me give this product another try and will eventually bring me back to continue this service, because I cannot find another service that is free (by personal usage, and not by periodical subscription cost) yet offers this much of functionality.

Hi there,

I’m sorry that you got locked out of your account. I understand how frustrating that can be, and would like to tell you why we take this approach when contacted about this particular issue.

Two factor authentication is an optional layer of protection provided to users who are really concerned about their online security. I’m sure that’s your case. It’s a robust system that will keep anyone out of your account, even if they get a hold of your Prey password. This is powerful, as you already experienced.

One of the key flaws of these systems is always the human factor. Social engineering is the easiest way to hijack online accounts, and by cutting this altogether we make sure that nobody will impersonate you, ever. Why? Because we don’t grant access to lost accounts.

If you happened to lose your Prey account, the fix is rather simple. Just create a new one, and reinstall Prey on your devices using those new credentials. You’ll be protected again, and if you decide to enable the 2FA, please make sure to save the backup email.

Now, if you’re a customer, please drop us a line using the contact form on your Prey account so we can migrate your subscription. That way you won’t pay for an account you’re not using.

This is a great idea. We’ll take a look ASAP.

Hi Fabian,

As a fellow student majoring in Computer Science who also have taken lessons on security, I can understand where that’s coming from, particularly on social engineering.

As suggested, put a big warning sign for 2FA, because nearly all other 2FA services (including bigger companies like Google) will always find us a way to access the account (via backup phone, etc).

My issue (or wish), is that I do not have to create a new email account/use my existing, but unused, for-emergency-only email account just so I can create an account here again. Making another account unnecessarily adds more stuffs for me to manage online and within my password manager. And for every account we make, we add one more vulnerability to ourselves that we don’t know exists in a new system (which some of us solve via using a password manager to never use a same password across multiple accounts).

And another thing, I just don’t want to make another inbox that I am not going to check for unreads which will receive notifications from Prey which I may likely to miss.

I have a Gmail used as primary, a Hotmail which was created before Gmail years ago, oldest email address but decided Gmail was better and then reduced to just for the sake of Windows account and importing of Windows settings to future Windows versions and has set to receive no emails, and a Yahoo Mail which is left unused until emergency, so I never checked its inbox (and no mail has ever come). That’s also why I have no apps to check Yahoo inbox … I only login via browser for that.

I can’t remember if we can change our email in our Prey accounts, so if yes, I will make a new one with my backup Yahoo Mail used for any form of emergency, then change over back to Gmail.

Otherwise, I wonder if it’s possible to prove my ownership of GMail and Prey Account and have my old Prey account removed so that I can re-register under Gmail again.

And thanks for helping for subscription, I am (thankfully) using a free account for personal use.

Is the affected Prey account under the same email address you used to post here?

Yes it is, Fabian. Gmail registered one is my locked out account.

Has just activated an account under my Hotmail that I have almost completely forgotten that was registered earlier than Gmail, when I still hadn’t had Gmail.

Will you be using that Hotmail account instead? Since you’re authenticated as a Gmail user here, I might be able to help you remove the email from our database. I can’t help you regain access to the account, but I can at least do that.

Yep I will. I’ll continue the service from my Hotmail for now. And it’s time to revise how to use mail forwarding to Gmail again.

Yeah, that’s something to figure out each time

By the way, we revised how we managed the 2FA process, and we improved it thanks to your feedback. We think it’s much clearer now. We appreciate that you took the time to share this with us.

No problem at all. Thanks also for handling my issue.

Will just change over my Hotmail to Gmail for registered address once the old account has been removed.

Alright, done! Please let me know how it goes

Switched to Gmail, and have everything 2FA (both authenticator’s secret key and Prey’s recovery key) stored more than once. Thank you!

To all fellow users: Unlike most 2FA services provided by other services, large and small, Prey will lock you out of your account if you lose your authenticator secret key.

What I use to store security info for my accounts: Use WinAuth to extract your secret key from your QR code of a 2FA service, and store that, alongside your 2FA recovery code, into apps like KeePass 2.35. Keep your KeePass database safe. Google Authenticator cannot convert your secret key from scanned QR code.

So now I have 3 authenticators (WinAuth on Windows, Google Authenticator on Android and a Chrome browser plugin on Ubuntu) total using a same secret key for Prey and other stuffs and a password manager

Edit to Fabian: I tried that “Lost your Mobile Device” and have seen the prompt being updated. It should be fine for guarding against social engineering. Although I think the warning message tickbox (The one we use to acknowledge that we will keep the code and will be locked out if we don’t) at the 2FA option could be colored red, and the email content could have a stricter warning.

Alright, great! I can add that you can always print the recovery code. I have mine from Google on my wallet

I hate to revive an old thread but I’m experiencing similar issues… I’d love to consider paying for the service, but I’m not going to create another email address to manage in order to do so. Can my account be deleted so I can re-register with my same email? @fabian

Spotted following topics:

“Never set up security code - can’t access admin panel”
“Unable to Log In to Account - Requires Six Digit Code that we do not have”
“Unable to access account - Requires 6 Digit Security code that we no longer have access to”
“Two way authentification is a bit stupid?”

EDIT: and oh yeah @Encrypt128bit, that’s you in “Moved phones. Google Authenticator lost all info”

No wonder this topic got revived lol.

@patches_KDG @CmplxAdSys

Quoting those Post Owners here as a reminder. Basically:

1. Do not use just one device as your 2FA authenticator
2. The moment you get the QR code or its key equivalent for your 2FA setup, before you type in the 6 digit code to verify your 2FA works and press finish, convert that QR code to authenticator key (e.g with WinAuth) and store in a secure place like a password manager, only then you finalize the setup of your 2FA.
3. And keep that recovery code email! (If you really want inbox space or don’t want to leave any codes in your email service, at least copy that code and store in, again, a secure place).
4. The reason I said about point 1. and 2. is so that you can use that same authenticator key on more than one authenticator, such that the same 6 digits codes are generated on all your devices.
5. If you ever need to use your recovery code (because none of your 2FA codes work), reset your 2FA again as soon as possible after you login.

Scrap Google Authenticator and install Authenticator Plus. Features (among many more): no more lost 2FA keys, auto sync and auto backup of all your 2FA keys, restore of 2FA on multiple phones, password protected, grouping of different 2FA key groups…

Costs about 4 USD but is worth every cent.

This year I am giving a talk about 2FA to my colleagues to raise awareness, and I am reminded of this. Because it was Prey Project that literally changed my credential management habit entirely … setting up KeePass and 2FA.

In any case, now I use Aegis Authenticator, open-source on Android. For Windows I use WinAuth.

And apparently from Prey’s announcement, it seems a bit easier now to recover from 2FA issues compared to when this topic was created.