[laeri]

FIDO/physical keys still work and they are still the best solution. Sure they can be stolen but physical access is much harder to get than digital access. The loss problem is also practically not of importance as a backup key can mitigate this. Also physical loss does not guarantee access to the new owner as they need to know which identity uses the key as well as the password as the key is only the second factor.

Best solution would probably be an implant of the physical key which makes it nearly impossible to lose it (apart from the worst case scenario).

[nosefurhairdo]

Bitwarden + 2 yubikeys is my solution. I remember one password, keep one key with me, and leave one key at home.

[bloopernova]

Is there a "create duplicate/backup of yubikey" app of some kind?

EDIT: How to register your spare Yubikey: https://support.yubico.com/hc/en-us/articles/360021919459

[alwa]

Wait, they suggest saving photos of the QR codes of your TOTP secrets? That seems to weaken the concept by making it easy for an attacker 1) to identify secrets and the sites they’re associated with, and 2) to retrieve them (in plaintext, no less) with no more than access to a device’s photo roll.

I thought the idea was that we’d write the secret once to an arbitrary number of primary and backup devices, then destroy it so it can’t be stolen as easily. Although I guess password managers save TOTP secrets alongside the password factor these days too.

Does the “the secret itself is not phishable” aspect of TOTP just not actually matter in practice as much as the rapid expiration and frustrating replay attacks / on-the-wire sort of secret interception?

[ubercow13]

Having the QR in your photo roll doesn't break the 'not phishable' property.

[the_pwner224]

Regular people are incapable of properly managing a key + keeping an up to date backup. You still need to have a recovery mechanism for lost keys.

[zrail]

Regular people have been carrying house keys and/or car keys around for practically their entire lives. A physical key for their computers wouldn't be weird, except it's different than what they're used to.

[pixl97]

Dear sir, what is a locksmith, and why is there so many of them?

[dstroot]

This. People assume weak security. They think if they lose their house or car key they can get in some other way, or a locksmith can “fix it”, or they can order another car key at the dealer.

The concept that if I lose my key I am totally screwed doesn’t align.

[Arrath]

Case study: An Ex who got fully locked out of her phone by forgetting what new passcode she changed to, had no idea what her google account password was, either.

So in the end she was locked out of the encrypted backups and had to wipe the phone, losing photos and a lot of notes. Despite all this, somehow expected that a quick ring to the <Cell Provider> call center could get her files unlocked and restored. Once that proved fruitless, that a call to Google would do the trick.

[Nick87633]

Car keys are getting a lot more troublesome these days. I see an analogy... if you lose your security device you can pay $XX to get on a call and verify with an account security rep. Of course this can be deepfaked nowadays. Maybe you need to do password recovery in person with a notary!

Notary public... the new digital locksmith for password recovery.

[the_pwner224]

You don't need to regularly plug your spare house key into your computer to update the password DB on it. And even with spares people still get locked out and need locksmiths.

[dataflow]

People already get locked out of their homes regularly. Imagine how much more frequently that would happen if they keychain also had a security key they had to take out regularly.

[mewpmewp2]

And regular people also frequently lose their keys and cards, including me.