[dangoor]

I liked this article and largely agree with what it has to say, but I have a question related to a bit at the end.

The article recommends using multifactor authentication everywhere, which sounds great for keeping things extra secure. Recently, though, I got a new phone and I'm thankful that I only had two services for which I was using multifactor authentication because otherwise I would have had to remember to set up even more than those two services on my new phone.

Is there any good solution to that problem?

[aftbit]

If you can, export the secrets from the phone and import them on the new device. Of course, if the phone isn't rooted, that might be difficult.

Authy offers a cloud backup service, where they encrypt the secrets with a key derived from your password. They use PBKDF2 with only 1000 rounds, so pick a very high entropy password.

http://blog.authy.com/backups

[shurcooL]

Good point, it is a problem.

I'm aware of two options:

- either you spend the time manually trying to going to all places where you use multi factor auth and perform "transfer device" process, which is hard and painful the more services you have,

- or you save backups of the original source elsewhere, basically invalidating the security advantage multi factor offers you.

[aftbit]

The second option isn't so bad as long as those backups are kept offline and physically secure. For example, with smartcards, it's common advice to generate keys on an offline machine and copy them (encrypted if you want) to a USB stick as well as the smartcard. Then you stick the USB stick in your safe. If your smartcard dies, you can load them onto another card.

[wtbob]

I would think that in an ideal world the old device would sign a statement indicating that the new device has full authority to act on its behalf in the future.

In a less-ideal world, it'd be nice if there were a way to sync devices without having to trust an eminently untrustworthy second party.

[arjie]

2-fac with Google Voice number. 2-fac Google account with normal number. Does that work? You'd have to compromise the Google account and for that you'd have to best the actual phone.

I don't actually use this but is there a good reason not to do this?

[diogomonicapt]

I think the answer is not yet.

Apple's TouchID is a great example of a frictionless authentication mechanism that can be easily augmented with a password to achieve two different factors, but the reality is that isn't a lot of that out there yet.

[wrboyce]

I save the QR codes on an encrypted disk image which I keep in "a safe place". There is also Authy[0] which supports backups.

[0]: https://www.authy.com/users