this post was submitted on 20 Sep 2024
81 points (100.0% liked)

chat

8197 readers
304 users here now

Chat is a text only community for casual conversation, please keep shitposting to the absolute minimum. This is intended to be a separate space from c/chapotraphouse or the daily megathread. Chat does this by being a long-form community where topics will remain from day to day unlike the megathread, and it is distinct from c/chapotraphouse in that we ask you to engage in this community in a genuine way. Please keep shitposting, bits, and irony to a minimum.

As with all communities posts need to abide by the code of conduct, additionally moderators will remove any posts or comments deemed to be inappropriate.

Thank you and happy chatting!

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] hypercracker@hexbear.net 16 points 1 month ago* (last edited 1 month ago) (3 children)

This is a good thing to think about. You can do the following:

  1. Don't store 2FA TOTP passcodes in your password manager, that makes it not 2FA.
  2. Use Authy which has free backup of your TOTP codes encrypted client-side with a password; if you forget this password your TOTP codes will be irrevocably lost. Do not put this backup password in your password manager (for same reason as 1, makes it not 2FA), write it down on a physical piece of paper (or several) and put it some place in your home. Authy prompts you occasionally for this password which is a good way to test that you can get the piece of paper and put in the code correctly.
  3. Buy at least two hardware U2F tokens (aka yubikeys, or get one from solo keys); most websites that offer TOTP U2F also support hardware U2F. So if you lose your TOTP codes but still have access to the hardware U2F tokens you should be able to access websites and remove/change the TOTP codes.
  4. If you're worried about losing or destroying your hardware U2F tokens, the only real solution is to use a cryptocurrency hardware wallet (yes yes I know, gross, whatever, improved private key management is cryptocurrency's only positive contribution to the world) because those function as hardware U2F tokens but also let you physically write down a series of words on paper that will let you reconstitute the same hardware U2F key in a new crypto hardware wallet if all your hardware U2F tokens (including the wallet) get lost or destroyed. Store this paper in the same place you store your TOTP backup code.
  5. If you're really really worried about losing access to your crypto hardware wallet U2F key you can get a blockplate then use a centerpunch to encode your private key by making divots in an actual hunk of metal. Theoretically this will survive a fire.
[–] BennyCHill@hexbear.net 15 points 1 month ago (1 children)

Replace authy with aegis which is open source and doesn't tie you to any service and allows encrypted exports you can manage yourself

[–] hypercracker@hexbear.net 5 points 1 month ago

Good to know, I had not heard of it!

[–] combat_brandonism@hexbear.net 8 points 1 month ago (1 children)

Don't store 2FA TOTP passcodes in your password manager, that makes it not 2FA.

Depends on your threat model, for most people password manager storage is fine because you're still protected against the service getting owned and leaking your password.

If you're worried about your phone being exploded tho you probably do have a threat model that precludes storing TOTP creds in your password manager.

[–] hypercracker@hexbear.net 6 points 1 month ago (1 children)

I would say that putting TOTP seeds in your password manager also brings risk of unintentional lockout, because usually access to your password manager is gated by TOTP codes and if you lose access to your active TOTP codes and need to also use them to log into your password manager to get your backed-up TOTP seeds, you could be shit outta luck.

[–] combat_brandonism@hexbear.net 3 points 1 month ago

access to your password manager is gated by TOTP codes

pass users stay winning comfy-cool

[–] TankieTanuki@hexbear.net 5 points 1 month ago (1 children)

Thanks!

Why two hardware keys? Do sites let you register more than one at the same time?

Are there any Chinese hardware key manufacturers?

I like the idea of archaeologists discovering my blockplate in 3,000 years like a modern-day Sumerian tablet.

[–] hypercracker@hexbear.net 5 points 1 month ago* (last edited 1 month ago) (1 children)

Generally you should always have multiple hardware U2F tokens in case you lose one. All sites that support hardware U2F should support registering multiple tokens for this reason. However some sites you can use TOTP as a backup for hardware U2F tokens and vice versa, so two tokens is not really necessary. But it depends.

Yubikeys are probably made in China but I don't know any fully Chinese companies that sell them. The solo keys company is interesting because it's all open source hardware & software.

[–] TankieTanuki@hexbear.net 4 points 1 month ago (1 children)

Oh---you mean you can make one key into a clone of another?

[–] hypercracker@hexbear.net 5 points 1 month ago

No, the main thing separating hardware U2F tokens from crypto hardware wallets is that with hardware U2F tokens the key is totally baked into the token and can't be exported, so it will be lost forever if the token is destroyed. Crypto hardware wallets are unique in that they let you export & import the key. Sorry I edited the post that you're replying to a few times with extra details so you may not have read them.