Hacker News new | ask | show | jobs
by akerl_ 902 days ago
Targeted kidnapping and coercion to extract passwords is not part of the threat model for the overwhelming majority of people.

Likewise for being forced to unlock your phone at gunpoint to get at your accounts. People who are committing individual armed robbery to get valuables are doing it for the raw goods, not as an input to get into your accounts. They’re gonna take the phone, try to flip it, then burn up some charges on your credit cards before the bank cancels them.

I have passwords in 1password. MFA for sites I don’t really care about goes in 1password, as do recovery codes for those accounts. Any accounts that matter, MFA is on my phone and yubikey. Recovery codes are on index cards in a physical safe.
1 comments
gtbcb 902 days ago
Thanks. For accounts that matter, what do you mean when you say MFA is "on my phone and yubikey"?

Which accounts do you consider important? Email, apple / google, banks, cell phone carrier, what else?

link
akerl_ 902 days ago
For me, "important" basically means "if somebody somehow stole my 1Password vault and had access its contents, it would be logistically problematic for me that they'd have the MFA for this account". So email, banks, cell phone / DNS hosting / etc, but also things like my MFA for Slack, PyPI, Steam, etc.

Things that aren't important are accounts like my rewards account w/ airlines, various forums / etc where there's MFA but it's less valuable than the password vault itself.

For MFA enrollment, my basic approach is:

1. If the site supports FIDO2/U2F, I enroll a yubikey in that.

2. If it supports multiple FIDO2/U2F devices, I enroll 2 other yubikeys (My primary yubikey is USB-C, then I've got a USB-A and a backup USB-A)

3. If the site supports TOTP, I generate a TOTP key and enroll my phone's TOTP app

4. For sites I'm likely to need to log into a lot, but that don't support multiple FIDO2 devices, I also enroll my Yubikey as a TOTP device ( https://www.yubico.com/products/yubico-authenticator/ for reference). I don't do this for every site because the Yubikey has a finite number of slots for TOTP secrets.

link