Hacker News new | ask | show | jobs
by YuriNiyazov 4673 days ago
Actually, I disagree with you here (because what hasn't happened to you has actually happened to me).

I was robbed at gunpoint, the perpetrator took both my phone and my laptop (the only computer authorized to login), which was the only computer that had a non-expired login.

I print out all the codes, stored them in a secure place in my house (with things like my passport). For the truly paranoid, get a safe, or a safety deposit box at a bank.
1 comments
hashtree 4672 days ago
Not to mention the much more likely attack vectors with this approach over a safe/deposit box based approach (which you might be alluding to):

  - This has a big assumption that 2FA cannot be bypassed AND other service exploits
  are not possible. The recent Dropbox security paper showed this was possible:
  https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdf
  - Device stolen/lost/hacked with active logins to said services OR local copies of said 2FA
  recovery codes? Eek!
  - Our friends at the NSA love that you use Dropbox to store this versus a more
  secure service like SpiderOak.
link