Even if everybody agrees to say that passwords are a weak way to protect access to sensitive or private information, they remain still today the default method implemented by many online services. A password, as complex as it may be, is easy to steal or leak. Tools like Mimikatz or memory scrappers[1] are common today. For a while, major players on the Internet started to implement two-factors authentication (2FA) or multi-factors authentication (MFA). Just to remind you, this authentication mechanism is based on a combination of: From a cost and ease of implementation point of view, the most common combination remains a password and a temporary code or "OTP". They are commercial solutions based on physical tokens but today with the explosion of smartphones, the Google Authenticator[2] and compatible applications became the most used platform. Once the application is installed, every time you activate the OTP feature on a compatible website, you scan a QR code and that’s it! When available, I always enable OTP on my online accounts (Twitter, Github, Apple, Dropbox, … but also on my own resources like my blog or my private ownCloud). On my iPhone, I’m using the 2FA app because it has a simple GUI and it provides an Apple watch version (It is so convenient to have tokens just on your wrist!). But my collection of tokens is constantly growing: I can’t imagine losing all those tokens! We use password managers for a while (well, I hope you do) but will we need a “OTP Manager” soon? The other question is: How to safely keep track and backup your tokens? They are available in your pocket but a smartphone is easy to loose, to be stolen or broken. Most websites propose a procedure to recover your access if you lost your token but there isn't a unique procedure: Some propose recovery codes (that must also be safely stored somewhere), emails or SMS code (and, guess what, usually the same phone is used to receive the recovery SMS). Here are some best practices:
Personally, what I do:
Note that some 2FA apps, like Authy, propose a backup solution (usually in the cloud - it's up to you to trust it or not). To conclude, OTP passwords are a good way to protect your accounts but have a good recovery procedure to avoid losing control of your accounts. And you? What how to you address this issue? Share your input! [1] https://blog.blechschmidt.saarland/memory-recovery/ Xavier Mertens (@xme) |
Xme 587 Posts ISC Handler Sep 16th 2016 |
Thread locked Subscribe |
Sep 16th 2016 4 years ago |
I use the same backup strategy (screenshot of the QR code or a copy of the text key, stored in an encrypted folder). I also use a Yubikey with Yubico Authenticator, which means that the tokens are stored on my Yubikey, not on the device with the OTP app on it. Since I have a screenshot of the QR code, I can add the same token to both my Yubikeys, so I always have an instant backup. I have Yubico Authenticator on my PC, Laptop and Phone, so I can easily authenticate where ever I am, as long as I have a Yubikey with me. If I wanted to be super-cautious, I could even password protect the Yubikey!
|
Jules 2 Posts |
Quote |
Sep 16th 2016 4 years ago |
hi, i'm the author of the OTP package (written in go) present at github.com/heliorosa/otp.
This simply generates a url in the format otpauth://totp/mydomain.com?secret=UYMIODYLDUSYMBVV for time based and otpauth://hotp/mydomain.com?secret=UYMIODYLDUSYMBVV for counter based. This string is then encoded as a qr code. Perhaps a better backup strategy would be to convert the qr code to a url and backup that. Hélio Rosa |
hrosa 1 Posts |
Quote |
Sep 16th 2016 4 years ago |
Xavier, I too take a screenshot of the QR code, and then I store the picture in a KeePass file.
|
DidierStevens 532 Posts ISC Handler |
Quote |
Sep 18th 2016 4 years ago |
KeePass supports OTP tokens via a plugin, which makes for a great way to back them up. Some of the mobile clients support the .kdbx information created by the extension as well. Used in combination with a file sync cline (Dropbox,Nextcloud, etc.) it makes for a nice way to ensure you have all your tokens in all the right places.
|
Matt M. 5 Posts |
Quote |
Sep 20th 2016 4 years ago |
1Password (my password manager of choice) also supports storing the OTP seeds within its encrypted vault (and then sync'ed across my devices via Dropbox). I have had various discussions with friends and colleagues about the wiseness of storing everything together in such a way and wondered if the OP had an opinion on this?
|
foo 1 Posts |
Quote |
Sep 28th 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!