“Hello thanks for calling. I understand you want to reset your password. To verify it’s really you may I have your cryptographically impregnable super token? Oh it’s lost, I see, how about can you verify your billing zip? Splendid you’re all reset.”
Suppose we take Coinbase (I don't use it, but I've heard SIM swapping is done regularly with Coinbase):
Suppose you lose all your physical keys: I don't think you can social engineer hack Coinbase (pretty sure most companies won't allow people to just give away your password/send a reset email to some other email).
Or suppose you get them to send me an email to reset my password. But my email also has FIDO u2f! And I know as a fact you can't social hack my email provider.
You would expect that if you restore the full backup of your iOS device to a new one, because you lost it for instance, that on the new device you could open the Authenticator app and see the same keys as you had on your old device. That is not the case though.
Under the hood Google Authenticator uses keys to generate the codes you see on screen and these keys are not backed up.
It’s a difficult decision of course. If you back them up in iCloud Apple and people who hack your Apple account have access. If you don’t the keys are lost if the device breaks or is lost and you need a workaround.
No, I know because that’s what I do and I had this fail on me when I migrated to a new phone. I switched to a different app that does backup keys when you use an encrypted iTunes backup.
Edit: oh you wanted to restore on the same device. Well that might work but it doesn’t help when migrating or if your phone is not available.
I think he's saying that the private keys to his crypto never leave physical hardware. There is no phone number to call if he loses them, but on the other hand what you are describing is impossible.
The joke is a thief will get ahold a live person and still be easily able to social engineer account access, despite best efforts to lock it down with technology.
