[BoppreH]

That's a very good question and in my opinion the biggest flaw with almost all new 2FA/passwordless systems. The "best practice" is to get a second yubikey or store recovery codes on paper, but that requires keeping them close to you because you'll need to update your backup on every new signup.

That makes these systems entirely useless at protecting against house fires, signups while away from home, or simply services that are too lazy to support your backup style (looking at you, AWS).

I think what we need is one master key that can be backed up in a offsite location (e.g. safe deposit box, lawyer, parents, trusted friends), and then have all subsequent secrets generated from it, or encrypted with it and stored somewhere publicly accessible.

[yakak]

I think people start with trying to do the best practice too early. Just using one key as your primary authentication adds a lot of security as other authentication methods aren't as routinely exposed. That's enough to get started and makes it easier to think about backups when one is ready for multiple keys.

[mschuster91]

> Just using one key as your primary authentication adds a lot of security

Yeah, and look just how often people lose or wash their phones or their keys, or how easy it is to break off a Yubikey that is on a keychain (e.g. when a cat pulls on it). Then you are usually royally screwed.

[yakak]

Sounds like FUD to me. If you lose your primary method you have to remember the password to unlock your secondary software ssh key..

Possibly remembering a password is a huge crisis but I had that crisis before using tokens, i.e. returning to my work desktop after a vacation.

[mschuster91]

> If you lose your primary method you have to remember the password to unlock your secondary software ssh key..

The post I was replying to was talking about 2FA in general, not just for SSH keys. Many people take the advertisements of Facebook, Google, Twitter et al. to push for 2FA as pure gospel, but completely neglect "worst case recovery" scenarios - and then run into stone walls when it inevitably happens, because FB/GOOG/TWTR don't offer any sort of customer support (other than raising threads on HN, and even that is similar to winning the lottery) and Amazon AWS doesn't offer multiple 2FA keys at all.

The laws of statistics mean that even if something happens only for 0.001% of all users, at the scale of the big tech companies it still hits tens to hundreds of thousands of people, who have no recourse at all and are now completely and forever locked out of their online identity. Simply because they have not known about the failure modes.

We here, who debate on HN, know about the dangers and how to prevent them. But our parents? Our siblings? They do not, and companies push them to extremely irresponsible practices nevertheless. We can't go and claim on the one side (when fighting against surveillance, backdoors etc.) that our online identities and presences are extensions of our minds and should be protected, and at the same time make it so extremely easy for people to lose access to them!

[philderbeast]

AWS not offering multiple 2FA keys is one of my biggest annoyances, its a service that I feel much have 2FA due to its ability to run up extreme bills, but I also cant setup a backup key in case of loss or failure.

[nijave]

It is a big annoyance but I think most places (once they're beyond a few engineers in size) use federated auth that support multiple keys (Okta, Active Directory, GSuite) for AWS access.

You can also use TOTP and store the secret in a password manager then protect that with hardware keys.

[packetslave]

At $JOB-1 we solved this by building a virtual TOTP service that grabbed the MFA secret for a particular AWS account from our internal secrets tool (which itself required MFA and supported multiple users) and used it to generate codes.

[yakak]

> something happens only for 0.001% of all users

Like a fisher taking their account and convincing support they are the real user? You can't really blame fido for the fact that consolidation made a dangerous situation. I'm very happy with my past choices to intentionally lock myself out as a failsafe over a 50/50 chance that it's me who gets an account back.

[staticassertion]

OK, how often? Seems like a relatively infrequent issue, although at the scale of cell phones it certainly happens "often".

But you aren't really screwed, you can recover your accounts. You still know your password, you likely have an associated email, you may have even written down your recovery codes.

[mschuster91]

You can't login without the second factor and only the password because that is literally the entire point of having a second factor.

You should not be able to reset a 2FA token purely by having access to the target's email (or SMS) account in a halfway decent system.

Your only hope will be the recovery codes but well, how many people actually read the fine print on these?

[staticassertion]

I'm saying that if you have the password and the email address, bypassing 2FA would not be unreasonable, and it's what most services end up doing (for better or worse). Recovery codes are the ideal, of course.

But yeah, this is also why every new Android/iOS device can act as a FIDO2 token - the more tokens people have, the easier it is to recover with a second token vs having to fall back to less safe methods.

[nijave]

>or their keys

How often do people actually permanently lose their keys (besides just misplacing them or leaving them somewhere and getting them back)?

I'd saying losing keys (house key, car keys) is fairly rare.

[marcosdumay]

How often have you had a flash drive that stopped working for some reason?

Physically losing the keys isn't the only way to lose them.

[ratg13]

>I think what we need is one master key that can be backed up in a offsite location (e.g. safe deposit box, lawyer, parents, trusted friends), and then have all subsequent secrets generated from it, or encrypted with it and stored somewhere publicly accessible.

This is a very good point. Essentially what you are describing here is a certificate authority.

The Yubikey, in this scenario, just acting as an 'offline CA'

It's a very good idea, but requires software being built to accept an authentication hierarchy.

[BoppreH]

A lot simpler than a certificate authority, actually. There's no need for hierarchy, x509, or anything of the sort.

Take SQRL[1] for example. It's a login system where you scan a QR code with your phone, then your phone derives a private key based on the domain and a master key, and use that to sign a challenge. Every other device (including offline backups) will generate the same private key, and hence give access to the same account.

[1] https://www.grc.com/sqrl/sqrl.htm

[lalopalota]

For signups away from home, use the key you have then add the second when you get home.

[BoppreH]

I sign up for a lot of services when I'm on vacation (local taxi, event and tour guides that now require apps, SIM card contracts, etc). Losing/breaking small electronics is a big risk when traveling, so I wouldn't use Yubikeys for those even if they are supported.