One part of this problem is considering how to login to a local computer while offline. Time-based one-time passwords are 6 digits long, and there's no point in saving those. A TOTP secret is the thing you use to set up 2-factor TOTP. You can back up the secrets however you want: print them out and put them in a safe, encrypt a file and save it on a USB stick or in a drive account. In this case you won't need to do any account recovery if you lose your Yubikey: the new Yubikey will give out the same one-time passwords as the old one, since you set it up with the same secret. If you keep backups of your TOTP secrets, then you can always set up a new Yubikey (or Google Authenticator, Authy, andOTP, or whatever - they're all equivalent in function). Account recovery will help if you lose your Yubikey, but also if you forget your password or if someone changes your password. E.g., Google lets you specify a recovery e-mail address and phone number. It has nothing to do with TOTP or the Yubikey. It just kept the secrets in plain text in a SQLite database, which means anything with root access could read them.Īccount recovery is something provided by the website. Last I knew, the Google Authenticator app didn't even use Android's keystore to store TOTP secrets. The hardware token can't be hacked remotely and never reveals its secrets. But TOTP on the hardware token is more secure than an authenticator app on your phone. TOTP can be phished, so it's not as secure as U2F. U2F only lets you log in on certain browsers, on devices with a USB port or Android devices with NFC. TOTP is supported by more websites than U2F, and works on basically every platform and browser, since you just type in the one-time password. Of course the backup account password and encryption passphrase should be unique and hard to guess. So long as I can remember how to access my backups, I'll always have access to my TOTP secrets and be able to set up a new Yubikey should it be lost. Every time I set up a new account for 2-factor authentication, I get the secret as a text string instead of as a QR code, add the secret to Yubico Authenticator, and also save the secret to a text file that I back up locally in cold storage and/or online with encryption. I suppose you could do what I do: use the Yubikey not for U2F, but for TOTP with the Yubico Authenticator app. Backup and recovery for hardware tokens are issues.
0 Comments
Leave a Reply. |