this post was submitted on 20 Sep 2024
81 points (100.0% liked)
chat
8197 readers
304 users here now
Chat is a text only community for casual conversation, please keep shitposting to the absolute minimum. This is intended to be a separate space from c/chapotraphouse or the daily megathread. Chat does this by being a long-form community where topics will remain from day to day unlike the megathread, and it is distinct from c/chapotraphouse in that we ask you to engage in this community in a genuine way. Please keep shitposting, bits, and irony to a minimum.
As with all communities posts need to abide by the code of conduct, additionally moderators will remove any posts or comments deemed to be inappropriate.
Thank you and happy chatting!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This is a good thing to think about. You can do the following:
Replace authy with aegis which is open source and doesn't tie you to any service and allows encrypted exports you can manage yourself
Good to know, I had not heard of it!
Depends on your threat model, for most people password manager storage is fine because you're still protected against the service getting owned and leaking your password.
If you're worried about your phone being exploded tho you probably do have a threat model that precludes storing TOTP creds in your password manager.
I would say that putting TOTP seeds in your password manager also brings risk of unintentional lockout, because usually access to your password manager is gated by TOTP codes and if you lose access to your active TOTP codes and need to also use them to log into your password manager to get your backed-up TOTP seeds, you could be shit outta luck.
pass
users stay winningThanks!
Why two hardware keys? Do sites let you register more than one at the same time?
Are there any Chinese hardware key manufacturers?
I like the idea of archaeologists discovering my blockplate in 3,000 years like a modern-day Sumerian tablet.
Generally you should always have multiple hardware U2F tokens in case you lose one. All sites that support hardware U2F should support registering multiple tokens for this reason. However some sites you can use TOTP as a backup for hardware U2F tokens and vice versa, so two tokens is not really necessary. But it depends.
Yubikeys are probably made in China but I don't know any fully Chinese companies that sell them. The solo keys company is interesting because it's all open source hardware & software.
Oh---you mean you can make one key into a clone of another?
No, the main thing separating hardware U2F tokens from crypto hardware wallets is that with hardware U2F tokens the key is totally baked into the token and can't be exported, so it will be lost forever if the token is destroyed. Crypto hardware wallets are unique in that they let you export & import the key. Sorry I edited the post that you're replying to a few times with extra details so you may not have read them.