This is a good thing to think about. You can do the following:
- Don't store 2FA TOTP passcodes in your password manager, that makes it not 2FA.
- Use Authy which has free backup of your TOTP codes encrypted client-side with a password; if you forget this password your TOTP codes will be irrevocably lost. Do not put this backup password in your password manager (for same reason as 1, makes it not 2FA), write it down on a physical piece of paper (or several) and put it some place in your home. Authy prompts you occasionally for this password which is a good way to test that you can get the piece of paper and put in the code correctly.
- Buy at least two hardware U2F tokens (aka yubikeys, or get one from solo keys); most websites that offer TOTP U2F also support hardware U2F. So if you lose your TOTP codes but still have access to the hardware U2F tokens you should be able to access websites and remove/change the TOTP codes.
- If you're worried about losing or destroying your hardware U2F tokens, the only real solution is to use a cryptocurrency hardware wallet (yes yes I know, gross, whatever, improved private key management is cryptocurrency's only positive contribution to the world) because those function as hardware U2F tokens but also let you physically write down a series of words on paper that will let you reconstitute the same hardware U2F key in a new crypto hardware wallet if all your hardware U2F tokens (including the wallet) get lost or destroyed. Store this paper in the same place you store your TOTP backup code.
- If you're really really worried about losing access to your crypto hardware wallet U2F key you can get a blockplate then use a centerpunch to encode your private key by making divots in an actual hunk of metal. Theoretically this will survive a fire.
Replace authy with aegis which is open source and doesn't tie you to any service and allows encrypted exports you can manage yourself
Don't store 2FA TOTP passcodes in your password manager, that makes it not 2FA.
Depends on your threat model, for most people password manager storage is fine because you're still protected against the service getting owned and leaking your password.
If you're worried about your phone being exploded tho you probably do have a threat model that precludes storing TOTP creds in your password manager.
I would say that putting TOTP seeds in your password manager also brings risk of unintentional lockout, because usually access to your password manager is gated by TOTP codes and if you lose access to your active TOTP codes and need to also use them to log into your password manager to get your backed-up TOTP seeds, you could be shit outta luck.
Thanks!
Why two hardware keys? Do sites let you register more than one at the same time?
Are there any Chinese hardware key manufacturers?
I like the idea of archaeologists discovering my blockplate in 3,000 years like a modern-day Sumerian tablet.
Generally you should always have multiple hardware U2F tokens in case you lose one. All sites that support hardware U2F should support registering multiple tokens for this reason. However some sites you can use TOTP as a backup for hardware U2F tokens and vice versa, so two tokens is not really necessary. But it depends.
Yubikeys are probably made in China but I don't know any fully Chinese companies that sell them. The solo keys company is interesting because it's all open source hardware & software.
No, the main thing separating hardware U2F tokens from crypto hardware wallets is that with hardware U2F tokens the key is totally baked into the token and can't be exported, so it will be lost forever if the token is destroyed. Crypto hardware wallets are unique in that they let you export & import the key. Sorry I edited the post that you're replying to a few times with extra details so you may not have read them.
smdh if my exploding phone doesn't let me transfer data to a local device so i can upload it to a different exploding phone after i survive the blast
i use Aegis which is open source, encrypted and can do automatic encrypted exports to phone/cloud storage that other apps can import so you dont get tied to a single device/app/service.
Authy is mostly fine but it ties you to its service (which requires gapps on android phones), doesnt allow exporting, and even if you export it with root workaround they will invalidate all of your tokens if you want to delete your authy account.
I'm keeping my MFA secrets in keepass, don't think about password manager compromise
nerd shit
In the past I also rigged my phone to relay SMS TOTP codes for the stupid shit that only supports that like my fucking bank used to only, to a self-hosted API that KeePass can fill them in via... now I just use a GSM dongle with its own SIM though
I’ve been using 2FAS that allows sync between my android and apple phones. If I make any changes I export an offline backup copy to a usb flash drive.
Google tells me those are both password managers. Pardon my ignorance, but I thought authenticator apps were something separate and discrete. How does that work? Is it good to have your password and authenticator stored in the same place?
I use Bitwarden currently.
Bitwarden has an option to use it as an authenticator as well. Yeah its not best to keep them both in the same place especially if its on servers you dont control. It makes more sense forr me personally just to keep them in the same vault without worrying about finding my phone.
VaultWarden is a reimplementation of BitWarden’s server. The clients are compatible.
Anyway, you can add your TOTP codes to a Bitwarden item. Either scan the code or enter the key manually.
It’s up to you if you want to risk storing the TOTP alongside the password, as it means you lose the second factor if your vault is compromised. For a random site? Sure why not. For financial/important stuff? Maybe not.
