this post was submitted on 20 Sep 2024
81 points (100.0% liked)

chat

8193 readers
13 users here now

Chat is a text only community for casual conversation, please keep shitposting to the absolute minimum. This is intended to be a separate space from c/chapotraphouse or the daily megathread. Chat does this by being a long-form community where topics will remain from day to day unlike the megathread, and it is distinct from c/chapotraphouse in that we ask you to engage in this community in a genuine way. Please keep shitposting, bits, and irony to a minimum.

As with all communities posts need to abide by the code of conduct, additionally moderators will remove any posts or comments deemed to be inappropriate.

Thank you and happy chatting!

founded 3 years ago
MODERATORS
all 20 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 1 month ago* (last edited 1 month ago) (3 children)

This is a good thing to think about. You can do the following:

  1. Don't store 2FA TOTP passcodes in your password manager, that makes it not 2FA.
  2. Use Authy which has free backup of your TOTP codes encrypted client-side with a password; if you forget this password your TOTP codes will be irrevocably lost. Do not put this backup password in your password manager (for same reason as 1, makes it not 2FA), write it down on a physical piece of paper (or several) and put it some place in your home. Authy prompts you occasionally for this password which is a good way to test that you can get the piece of paper and put in the code correctly.
  3. Buy at least two hardware U2F tokens (aka yubikeys, or get one from solo keys); most websites that offer TOTP U2F also support hardware U2F. So if you lose your TOTP codes but still have access to the hardware U2F tokens you should be able to access websites and remove/change the TOTP codes.
  4. If you're worried about losing or destroying your hardware U2F tokens, the only real solution is to use a cryptocurrency hardware wallet (yes yes I know, gross, whatever, improved private key management is cryptocurrency's only positive contribution to the world) because those function as hardware U2F tokens but also let you physically write down a series of words on paper that will let you reconstitute the same hardware U2F key in a new crypto hardware wallet if all your hardware U2F tokens (including the wallet) get lost or destroyed. Store this paper in the same place you store your TOTP backup code.
  5. If you're really really worried about losing access to your crypto hardware wallet U2F key you can get a blockplate then use a centerpunch to encode your private key by making divots in an actual hunk of metal. Theoretically this will survive a fire.
[–] [email protected] 15 points 1 month ago (1 children)

Replace authy with aegis which is open source and doesn't tie you to any service and allows encrypted exports you can manage yourself

[–] [email protected] 5 points 1 month ago

Good to know, I had not heard of it!

[–] [email protected] 8 points 1 month ago (1 children)

Don't store 2FA TOTP passcodes in your password manager, that makes it not 2FA.

Depends on your threat model, for most people password manager storage is fine because you're still protected against the service getting owned and leaking your password.

If you're worried about your phone being exploded tho you probably do have a threat model that precludes storing TOTP creds in your password manager.

[–] [email protected] 6 points 1 month ago (1 children)

I would say that putting TOTP seeds in your password manager also brings risk of unintentional lockout, because usually access to your password manager is gated by TOTP codes and if you lose access to your active TOTP codes and need to also use them to log into your password manager to get your backed-up TOTP seeds, you could be shit outta luck.

[–] [email protected] 3 points 1 month ago

access to your password manager is gated by TOTP codes

pass users stay winning comfy-cool

[–] [email protected] 5 points 1 month ago (1 children)

Thanks!

Why two hardware keys? Do sites let you register more than one at the same time?

Are there any Chinese hardware key manufacturers?

I like the idea of archaeologists discovering my blockplate in 3,000 years like a modern-day Sumerian tablet.

[–] [email protected] 5 points 1 month ago* (last edited 1 month ago) (1 children)

Generally you should always have multiple hardware U2F tokens in case you lose one. All sites that support hardware U2F should support registering multiple tokens for this reason. However some sites you can use TOTP as a backup for hardware U2F tokens and vice versa, so two tokens is not really necessary. But it depends.

Yubikeys are probably made in China but I don't know any fully Chinese companies that sell them. The solo keys company is interesting because it's all open source hardware & software.

[–] [email protected] 4 points 1 month ago (1 children)

Oh---you mean you can make one key into a clone of another?

[–] [email protected] 5 points 1 month ago

No, the main thing separating hardware U2F tokens from crypto hardware wallets is that with hardware U2F tokens the key is totally baked into the token and can't be exported, so it will be lost forever if the token is destroyed. Crypto hardware wallets are unique in that they let you export & import the key. Sorry I edited the post that you're replying to a few times with extra details so you may not have read them.

[–] [email protected] 16 points 1 month ago

Hahaahahahhhahahaahha fuck

[–] [email protected] 7 points 1 month ago

i use Aegis which is open source, encrypted and can do automatic encrypted exports to phone/cloud storage that other apps can import so you dont get tied to a single device/app/service.

Authy is mostly fine but it ties you to its service (which requires gapps on android phones), doesnt allow exporting, and even if you export it with root workaround they will invalidate all of your tokens if you want to delete your authy account.

[–] [email protected] 7 points 1 month ago

I'm keeping my MFA secrets in keepass, don't think about password manager compromise

nerd shitIn the past I also rigged my phone to relay SMS TOTP codes for the stupid shit that only supports that like my fucking bank used to only, to a self-hosted API that KeePass can fill them in via... now I just use a GSM dongle with its own SIM though

[–] [email protected] 6 points 1 month ago (1 children)

Vaultwarden or keepass synced to some cloud storage.

[–] [email protected] 2 points 1 month ago (2 children)

Google tells me those are both password managers. Pardon my ignorance, but I thought authenticator apps were something separate and discrete. How does that work? Is it good to have your password and authenticator stored in the same place?

I use Bitwarden currently.

[–] [email protected] 3 points 1 month ago

VaultWarden is a reimplementation of BitWarden’s server. The clients are compatible.

Anyway, you can add your TOTP codes to a Bitwarden item. Either scan the code or enter the key manually.

It’s up to you if you want to risk storing the TOTP alongside the password, as it means you lose the second factor if your vault is compromised. For a random site? Sure why not. For financial/important stuff? Maybe not.

[–] [email protected] 2 points 1 month ago

Bitwarden has an option to use it as an authenticator as well. Yeah its not best to keep them both in the same place especially if its on servers you dont control. It makes more sense forr me personally just to keep them in the same vault without worrying about finding my phone.

[–] [email protected] 3 points 1 month ago

I’ve been using 2FAS that allows sync between my android and apple phones. If I make any changes I export an offline backup copy to a usb flash drive.