29
submitted 5 months ago* (last edited 5 months ago) by governorkeagan@lemdro.id to c/asklemmy@lemmy.ml

After everything that has happened with Raivo over the last few days it’s reminded me that I need to go through my accounts with 2FA enabled.

However, how do others keep things organised? My main 2FA app is Proton Pass but I’ll be adding Ente Auth as a backup alongside my Yubikey. In the past I saved a copy of the QR codes when setting up 2FA but I’d occasionally forget to save new ones.

Does anyone have a good system for saving either the QR code or setup code (not actually sure what it’s called) for future use?

EDIT: the code I’m referring to is the initial secret code used to setup the 2FA

Final Edit: I’ve settled on saving the QR codes into a folder that is setup as a git repo.

top 17 comments
sorted by: hot top controversial new old
[-] Fake4000@lemmy.world 10 points 5 months ago

I use aegis as my 2fa app. I backup the 2fa seeds in my keepass file.

[-] UID_Zero@infosec.pub 4 points 5 months ago

Same, but my seeds are stored in a separate vault from my passwords. Seems like having MFA and passwords in the same place defeats the purpose. I used to let keepassxc auto fill MFA tokens, but finally changed to a separate app.

[-] mcmodknower@programming.dev 8 points 5 months ago

I have the backup codes for the accounts on paper. This is not the same as the initialization qr codes, but it should also work.

[-] vvv@programming.dev 4 points 5 months ago

I use passwordstore.org/ as my password manager, including for my otp codes. It's backed by a git repo. I get a backup of it on every device it is cloned to.

[-] governorkeagan@lemdro.id 2 points 5 months ago

I like the idea of using git.

[-] jeena@jemmy.jeena.net 3 points 5 months ago

I save them in my keepassxc, actually I save the 2fA also there. Once someone gets to my password manager all bets are off.

[-] monk@lemmy.unboiled.info 8 points 5 months ago

Sounds like 1FA with extra steps.

[-] vvv@programming.dev 7 points 5 months ago

Not a security scientist, but in my interpretation, it's the "categories" of the factors that matter. Ideally, you use some two of three of:

  • something (only) you know - generally represented by passwords
  • something (only) you have - most commonly represented by some device. you prove that you have the device by providing a token only that device can generate.
  • something (only) you are - generally represented by biometrics

the goal then is maintaining the "only"s.

if you tell someone your password, or they see you type it in, or they beat it out of you with a wrench, it's no longer something "only" you know, and it is compromised.

if you use the same password on two websites, and one website is compromised, the password is compromised.

OTPs from a key fob or yubikey or something are similarly compromised if the device that provides them is left out in public/lost/stolen/beaten out of you with a wrench.

biometrics are again, are compromised if it's not "only" you with access to them - someone scans you face while you're asleep, or smashes your finger off with their wrench.

having multiple factors in the same category, like having two passwords, or two otp tokens, or two finger prints, doesn't significantly improve security. if you give up one thing you remember, it's likely you'll give up more. if one fob from your keychain is stolen, the second fob on that keychain is of no additional help.

you can start shifting what categories these things represent though.

if you write down your password in a notebook or a spreadsheet, they become thing you have.

OTPs can become something you know if you remember the secret used to generate them.

knowing many different things is hard, so you can put them in a password vault. the password vault is then something you have, which can be protected by something you know. so although your OTPs and passwords are in one place, you still require two factors to get access to them.

you still need to protect your "only"s though. and don't put yourself in situations where people with wrenches want your secrets.

[-] governorkeagan@lemdro.id 1 points 5 months ago

Thank you for the detailed response!

[-] jeena@jemmy.jeena.net 2 points 5 months ago

Yeah I agree. I wonder how people make it real 2FA when the 2FA app is on the phone and they also log in in the phone.

[-] UID_Zero@infosec.pub 2 points 5 months ago

My phone has a passcode, so does my password manager and my MFA app - all different passwords. Those are the only ones I need to remember, so it’s not too bad.

Probably not ideal, but to break that someone needs to A) physically get my phone, B) unlock my phone, C) unlock my pw vault, and D) unlock my MFA app. I’m fairly confident in my setup.

[-] jeena@jemmy.jeena.net 1 points 5 months ago

For me it's similar, but I don't have D.

[-] Coelacanthus@lemmy.kde.social 2 points 1 week ago

I print recovery codes of all services and packed them into a bag.

[-] vk6flab@lemmy.radio 2 points 5 months ago

The 2FA codes are just images. You can save them where you like. No requirement to backup your 2FA "to the cloud".

Just make sure that your storage is backed up.

[-] dulcinea@lemmy.today 1 points 5 months ago

Just use Bitwarden or Google Authenticator.

[-] governorkeagan@lemdro.id 1 points 5 months ago* (last edited 5 months ago)

I’m happy with Proton Pass as my primary 2FA application. I’m looking for a backup solution.

[-] otherbarry@lemmy.zip 0 points 5 months ago* (last edited 5 months ago)

Screenshot the QR codes & save offline to a USB disk. Alternatively some people do print them but that only works for people that have printers or access to one. Same with the 2FA backup codes.

Or less ideal you can save them somewhere secure on your desktop/laptop/whatever, just keep in mind if you get hacked or get malware/whatever then it's game over.

this post was submitted on 02 Jun 2024
29 points (100.0% liked)

Asklemmy

43890 readers
1445 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS