Hacker News new | ask | show | jobs
by mrweasel 2671 days ago
Depending on how the original OTP key is stored on your phone, it's not much better than having it on your laptop. The key is still just stored there, somewhere, inside our phone. On the laptop at least you know where and how it's stored.
2 comments
acdha 2671 days ago
This might seem intuitive but it's wrong unless your phone is really old and unpatched. Modern phones sandbox everything, often encrypted per-application (standard on iOS for many years, becoming common on Android), and they have storage classes which will not be included in backups or easily copied to a computer.

You could start to approach that on a laptop — make sure you have FDE enabled, use the operating system's sandboxing features pervasively, store secrets using the TPM, etc. but that's a huge amount of work and the attack surface for apps on your laptop is enormous, especially for developers: how many people using a system like the one described are one unlucky npm install away from sending their TOTP seed to an attacker? The equivalent attack requires a system compromise on a phone (which tend to have 7+ figure USD bounties on iOS).

link
yjftsjthsd-h 2671 days ago
> unless your phone is really old and unpatched

The rate of CVEs an android, combined with the sheer number of manufacturers who are slow about updates or just never deliver any, means that unpatched devices are nothing like the rarity that this statement suggests.

link
acdha 2671 days ago
I was trying to avoid an iOS vs. Android flamewar but feel free to read that as “buy an iPhone 3GS or later unless you want to carefully check this”.
link
oarsinsync 2671 days ago
> > This might seem intuitive but it's wrong unless your phone is really old and unpatched

> feel free to read that as “buy an iPhone 3GS or later..."

iPhone 3GS stopped getting patches 5 years ago (https://en.wikipedia.org/wiki/IOS_6). I think it qualifies as really old and unpatched.

link
trishmapow2 2671 days ago
We do know how and where it is stored, a database file in /data/data/com.google.android.apps.authenticator2/databases/databases. I regularly copy it and back up in case my phone needs resetting.
link