[yakak]

I think people start with trying to do the best practice too early. Just using one key as your primary authentication adds a lot of security as other authentication methods aren't as routinely exposed. That's enough to get started and makes it easier to think about backups when one is ready for multiple keys.

[mschuster91]

> Just using one key as your primary authentication adds a lot of security

Yeah, and look just how often people lose or wash their phones or their keys, or how easy it is to break off a Yubikey that is on a keychain (e.g. when a cat pulls on it). Then you are usually royally screwed.

[yakak]

Sounds like FUD to me. If you lose your primary method you have to remember the password to unlock your secondary software ssh key..

Possibly remembering a password is a huge crisis but I had that crisis before using tokens, i.e. returning to my work desktop after a vacation.

[mschuster91]

> If you lose your primary method you have to remember the password to unlock your secondary software ssh key..

The post I was replying to was talking about 2FA in general, not just for SSH keys. Many people take the advertisements of Facebook, Google, Twitter et al. to push for 2FA as pure gospel, but completely neglect "worst case recovery" scenarios - and then run into stone walls when it inevitably happens, because FB/GOOG/TWTR don't offer any sort of customer support (other than raising threads on HN, and even that is similar to winning the lottery) and Amazon AWS doesn't offer multiple 2FA keys at all.

The laws of statistics mean that even if something happens only for 0.001% of all users, at the scale of the big tech companies it still hits tens to hundreds of thousands of people, who have no recourse at all and are now completely and forever locked out of their online identity. Simply because they have not known about the failure modes.

We here, who debate on HN, know about the dangers and how to prevent them. But our parents? Our siblings? They do not, and companies push them to extremely irresponsible practices nevertheless. We can't go and claim on the one side (when fighting against surveillance, backdoors etc.) that our online identities and presences are extensions of our minds and should be protected, and at the same time make it so extremely easy for people to lose access to them!

[philderbeast]

AWS not offering multiple 2FA keys is one of my biggest annoyances, its a service that I feel much have 2FA due to its ability to run up extreme bills, but I also cant setup a backup key in case of loss or failure.

[nijave]

It is a big annoyance but I think most places (once they're beyond a few engineers in size) use federated auth that support multiple keys (Okta, Active Directory, GSuite) for AWS access.

You can also use TOTP and store the secret in a password manager then protect that with hardware keys.

[packetslave]

At $JOB-1 we solved this by building a virtual TOTP service that grabbed the MFA secret for a particular AWS account from our internal secrets tool (which itself required MFA and supported multiple users) and used it to generate codes.

[yakak]

> something happens only for 0.001% of all users

Like a fisher taking their account and convincing support they are the real user? You can't really blame fido for the fact that consolidation made a dangerous situation. I'm very happy with my past choices to intentionally lock myself out as a failsafe over a 50/50 chance that it's me who gets an account back.

[staticassertion]

OK, how often? Seems like a relatively infrequent issue, although at the scale of cell phones it certainly happens "often".

But you aren't really screwed, you can recover your accounts. You still know your password, you likely have an associated email, you may have even written down your recovery codes.

[mschuster91]

You can't login without the second factor and only the password because that is literally the entire point of having a second factor.

You should not be able to reset a 2FA token purely by having access to the target's email (or SMS) account in a halfway decent system.

Your only hope will be the recovery codes but well, how many people actually read the fine print on these?

[staticassertion]

I'm saying that if you have the password and the email address, bypassing 2FA would not be unreasonable, and it's what most services end up doing (for better or worse). Recovery codes are the ideal, of course.

But yeah, this is also why every new Android/iOS device can act as a FIDO2 token - the more tokens people have, the easier it is to recover with a second token vs having to fall back to less safe methods.

[nijave]

>or their keys

How often do people actually permanently lose their keys (besides just misplacing them or leaving them somewhere and getting them back)?

I'd saying losing keys (house key, car keys) is fairly rare.

[marcosdumay]

How often have you had a flash drive that stopped working for some reason?

Physically losing the keys isn't the only way to lose them.