Hacker News new | past | comments | ask | show | jobs | submit login

This is why I’d rather have the phone number/email 2fa than a device 2fa even with the risk of sim swap.

If a human can’t give me my account back through tech support I’m not very keen on trusting my account a gadget that can break or get lost.

The risk of losing a phone and the backup codes is probably several orders of magnitude larger than the risk of being the target of a sim swap attack for the vast majority of users.

As someome who lost access to their TOTP 2FA device for ~3 months I can definitely relate to that. But SMS is still insecure and there are better ways of doing this.

For one, no one is forcing you to only have one TOTP device. You can scan that QR code as many times as you want. Have them on multiple devices.

Depending on your threat vectors, putting them into a password manager that supports it (like Bitwarden) might also be smart. Less secure than fully offline, but definitely better than SMS.

As for the backup codes - one big encrypted text file synced to the cloud of your choice should do the trick, but if you prefer the "scary men with guns" kind of security, safety deposit boxes were literally made to store this kind of stuff (bonus points for on-paper encryption).

I discovered recently the QR codes are dumber than I thought; you can even print the QR codes out or store them as screenshots depending on your threat model.

Cite: https://www.eff.org/deeplinks/2017/09/guide-common-types-two...

I do something silly like that. I take the qr codes and convert them into Unicode glyphs and then put them in a gpg encrypted file. I started doing this after my first phone upgrade lost all my google auth entries. Now I can just decrypt in the terminal and directly scan all the codes into google auth should I ever lose them.

Do you mean you use something like grencode to literally draw the QR code using Unicode box characters or do you just decode and save their contents?

As an extra suggestion: if you use an Android phone for OTP, [andOTP](https://github.com/andOTP/andOTP) supports exporting directly into a PGP-encrypted JSON file which can then be either imported back into the app or converted back to QR codes with a script.

Since it allows you to trigger the export using a Broadcast Intent, I have it set up to do that as a part of my weekly backup Tasker script (of course, you could also just use any other sync solution and manually export when you add a new code).

Yeah, literal QR codes made out of unicode box characters. That way it's just scanning a bunch of codes instead of trying to recreate them just to scan them.

I would prefer to have u2f devices but be able to trust some tokens from friends and family without having to have them present at every registration, kind of like having a spare key with someone for every lock. I guess I'm not really worried about my relatives socially engineering my GitHub password out of me.

But you already can do that. You can register multiple U2F keys and give it to a family member or put it in a safe. You can do the same with recovery keys.

The key problem is this:

>≥ without having to have them present at every registration

For example, I have given a token to a family member in another country, for proper utility I need that token back each time I register on another site..

But what if your relative suddenly pass away? Then you'd be pretty screwed, wouldn't you?

I don't understand, if a neighbor moves or a key gets lost, you give a spare key to another neighbor based on your own key.

What difference does it make unless everyone you trust is gone or has lost everything? At that point you have larger problems than logging into online accounts.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact