Hacker News new | ask | show | jobs
by tzs 2893 days ago
Do you see any problem with using a phone TOTP authenticator, but when setting it up saving a copy of the TOTP secret in a file encrypted with my public gpg key?

The idea is that if I lose access to my phone, I can decrypt that saved copy of the secret, and load it into 1Password temporarily until I get my phone back or get a new phone and get everything set back up.
1 comments
tptacek 2893 days ago
Before people started storing their TOTP secrets in desktop applications so they could auto-fill them in their browsers, this question used to be the front line of the 2FA opsec wars. I was a lieutenant in the army of "if you want to back up 2FA secrets, just enroll two of them; a single 2FA secret should never live in more than one place". I think that battle is already lost.

Lots of reasonable people back up their secrets, or even clone them into multiple authenticator applications. I try not to.

link
Fnoord 2893 days ago
> Lots of reasonable people back up their secrets, or even clone them into multiple authenticator applications. I try not to.

Because if they lose access to the 2FA secrets, you lose access to your account. If that's just one account, recovery might be doable (depending on who ultimately is root on the machine). If its your Bitcoin wallet or FDE though, you're toast.

There's also a variety of protocols used for 2FA. I've seen: USB2, USB3, USB-C, BlueTooth, NFC.

As for how people do this: they use a second key, save their key on a cryptosteel(-esque) device [1] (IMO overpriced, YMMV), USB stick, a piece of paper, or gasp CDROM. Where its saved differs. Could be next to a bunch of USB sticks, in a safe, at a notary (my recommendation though does cost a dime or two), in a basement under a sack of grain, ...

[1] https://cryptosteel.com

link
tptacek 2893 days ago
What the actual fuck is this "cryptosteel" thing?
link
Fnoord 2893 days ago
There's a FAQ on the bottom of the page.
link
tptacek 2893 days ago
I know, I read it. What the actual fuck is this? Who would spend money on this? How is this not an insane product concept?
link
CiPHPerCoder 2893 days ago
> Who would spend money on this?

https://www.kickstarter.com/projects/zackdangerbrown/potato-...

https://en.wikipedia.org/wiki/Juicero

etc.

> How is this not an insane product concept?

I thought sanity died years ago.

link
owaty 2893 days ago
> if you want to back up 2FA secrets, just enroll two of them

Could you elaborate on how you do this in practice?

link
Tomte 2893 days ago
Just like the first one. Most U2F web sites let you register multiple keys.

Any one gives you access. So you take one with you and put one in a drawer at home.

link