On Thursday night, I lost my phone. On Friday night, I got it back. This is the horrifying story of the intervening 24 hours.
The actual story of how I lost the phone is pretty much right out of a bad movie script — I’m on the company bus from Sunnyvale to San Francisco, where normally I’d be listening to podcasts and minding my own business with my phone literally connected to my face (i.e., impossible to lose), but this time I’m talking to someone on the ride — for the sake of this movie script, let’s assume it’s a fly lady and there’s hella sexual tension and not, say, a French dude — and I walk off the bus into the late evening drizzle and I’m like, “Nice riding with you, fly lady who’s definitely not a French dude!” Then I go to put my headphones in and realize that lost in all that sexual tension with this lady who definitely exists1 is my phone, sitting on a table on the bus, which is at a red light not 50 feet away.
No problem, I think naively, I’m sure the bus driver will, like, look over at me before the light turns and I can just get it. Of course he does not, and the light turns before I can bang on the door to get his attention, and off he goes. I immediately resign myself to a phoneless life and start heading back home, thinking about how sad I am not to have a phone and to be walking back in the rain, and how I have to walk so far because I got off a stop earlier than I used to before the bus switched routes and started going 5 minutes out of its way before getting to the stop I usually get off at… And in one fluid motion I both facepalm and turn around, running the half mile to the next stop, uphill in the rain, with my backpack on and my gym bag in my hand, elbowing people off the sidewalk in my haste.
A block away from my destination, the light at the intersection is turning yellow and the little red hand has counted down to zero as I approach. I run into the street and am almost immediately run over. I have no choice but to wait for traffic as I watch the bus pull around the corner and stop a block away. The light turns, and I sprint up the street with my hand out waving frantically hoping to get the bus driver’s attention. I don’t get it. He pulls away, and with my phone, he drives right past me. I have failed, my phone is gone, everyone who’s just gotten off the bus is staring at me, and right then it starts just pouring rain. I walk home, sopping wet and dejected.
I’m an adult; I can handle a little loss of connectivity, and it’s a company bus not the Muni, so I know I’m gonna get that phone back. This is not the end of the world. When I get home, I’ll just call the dispatcher and tell them I left my phone on the bus. No problem.
Except I don’t have a phone, so I can’t call them. OK, not a big deal, I’ll email them. I still have my computer. I’ll just check the bus app and find out what their email address is.
Except I don’t have a phone, so I can’t check the bus app. OK, not a big deal, I’ll check the wiki, I’m sure it’s there somewhere.
Except I don’t have a phone, so I can’t generate a two-factor authentication token to access the VPN so I can access the wiki.
I did what any normal person would do: I vented my frustration by tweeting about it:
Left my phone on the bus… flipping out wondering what important sexts I’m missing but will get it back and definitely have no new messages
— Carson Moore (@Carscafmoo) March 11, 2016
In the end I got in touch with the dispatcher by texting a friend at work and asking them what the email address was2 and got in touch with them; they’d have it for me in Sunnyvale on Friday morning, I could have someone pick it up and bring it back to SF for me. Which I did — super huge shout out to the French dude for bringing it back and then waiting for like a half hour for me to show up at the bus stop, he is the best.
But in the meantime, I ran into about a dozen other ways in which not having a phone is inconvenient — from finding something in my apartment that I could make beep at a certain time to wake me up, to adding stuff to my grocery list, to badging in at the gym — and one way in which, it turns out, having a phone is essential. As I mentioned earlier, at my company we use two-factor authentication to remotely access the company network. We also use it for, basically, everything else.
Two-factor authentication (or 2FA) requires you to have a password and another piece of information, typically served from a device that the server knows and trusts. You then authenticate with both pieces of information — “factors,” you might call them. This is pretty obviously more secure than just having a password, but you may be wondering why having a password isn’t secure enough — after all, you could lock your door and brick it shut, but most people just opt for the locks. Without going into too much detail, it is possible that if a bad actor has access to our network, he or she may be able to access a list of passwords, and even if they are stored in some hashed form they may be able to look up the password plaintext in a rainbow table and, long story short, they then have access to everything.
Two-factor authentication is more secure because even if the attacker has access to everyone’s password, and even if they’re able to get their hands on a device or two, they can only log in as a person whose device they have, and not, y’know, everyone. Plus getting access to the devices would be, presumably, difficult.
It’s so great and wonderful and secure that, as I mentioned before, we use it for basically everything. It’s pretty common to use 2FA to access VPN, but even inside the VPN we use it. We have automation software running on a server that requires 2FA to access. Didn’t get to do any work with that yesterday. We use Okta to manage access to internal apps. We’ve configured Okta to use 2FA. I was lucky that I hadn’t been signed out of Okta (which seems to happen about once a week), because if I had been, I couldn’t have used the wiki even from the office. Or viewed my pay checks. Or seen my calendar. Or used email.
In the end, this whole miserable ordeal wasn’t much more than an inconvenience, but that was lucky. If I had truly lost my phone, I’d be in huge trouble — and probably in even more ways that I know now. I guess what I’m saying is…