Hacker News new | past | comments | ask | show | jobs | submit login

This exactly happened to me (I took my iPhone swimming in the Mediterranean).

My personal solution is 2 encrypted files - one for my passwords, and one for the keys for the (sadly few) services using TOTP. So losing (ie stealing then decrypting) one is not losing both - ie the password and the TOTP are still mutually exclusive factors.

I got back many of my TOTP accounts fairly easily, but boy the amount of trust placed in a SIM Swap is still scary.

Compare for example to (my idealised way it should work) of every online account I have using 2 different U2F keys (ie different hardware IDs) to control the account. One I lock away in my bedroom safe and one I carry in my wallet [#]. Lose one and I still hopefully have the other. But a) can you name any service that does that today? b) is my bedroom safe actually safe ?

My work TOTP was backed up on cloud - and it still worked! The app had stored the key (probably securely) in a icloud backed up location.

So the TOTP was no more safe than iCloud. Which is to be fair a pretty high bar. So I am fairly relaxed about it. But still, TOTP hardly counts as "something you have" these days.

But I completely agree that the lifecycle problem (revocation mostly) is long way from being solved. I would just like to see dual U2F access controls as a default on web services today.

[#] That's another problem. I am seriously contacting wallet makers to see if I can design a USB key and u2f key friendly wallet - I hate my keyring appraoch.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: