18
votes
What are my options for two-factor authentication that doesn't require a backing service (cloud/SMS)?
I'm not new to two-factor authentication (2FA) as a concept, but available options and how they'd fit into a workflow has always felt somewhat opaque. Everytime I've been required to use 2FA, I've used SMS despite knowing how insecure that really is.
GitHub's 2FA requirement is about to lock me out of my personal account, so I figured it's time to get a grasp on this:
- What second factors are available to me and what do the workflows looks like?
- Preferably these second factors wouldn't require me to sign up for some associated service.
- What are my options for redundancy?
- Can I have multiple second factors?
- Where are you supposed to keep recovery codes? (I've read that keeping them in your password manager essentially defeats the purpose)
- What happens if I screw up and lose my second factor? With services that just have password requirements, you can use your email to reset, are there analogous systems for 2FA?
I've been using Yubico Authenticator to store TOTP secrets on my Yubikey for years:
https://www.yubico.com/products/yubico-authenticator/
(I actually enroll new accounts on a pair of Yubikeys - one which stays on my keychain, and another that gets immediately returned to a locked fire safe just in case).
Storing the secrets on hardware makes it easy to switch between mobile/desktop devices without having to sync my secrets through someone else's computer (The Cloud), and keeping them out of my password manager ensures that my two factors aren't reduced to one if the password manager gets compromised somehow.
I've been really happy with the Yubikey product. No third party account or network traffic, no phone app, no insecure SMS. Linux support (
ykman).Any particular reason to use the Yubikey to store TOTP secrets instead of as a FIDO2 key?
Why not both?
I use it for FIDO2 things where supported, but seems like many more sites support TOTP and not FIDO2. I love the flexibility of being able to use the yubikey in a variety of different ways.
pretty much all the answers to your questions are in the github documentation for this: https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication
Ah thank you! Re-reading this again today was helpful paired with the concrete workflows/recommendations that I'm getting in this thread.
simple option: download Aegis (what I use) or Authy or Google Authenticator or another TOTP app to your phone. GitHub shows you a QR code, you scan it with the app. the data in that QR code contains the shared secret that the app uses to generate TOTP codes.
more complicated option: get one (or more) FIDO2-compatible security keys. Yubikeys are the fancy option here, they support several other features like storing GPG keys on the device, and run in the $50-60 price range. if you want cheaper keys that only support FIDO2, you can get these for $15-20 (for example)
I generally recommend buying two keys, from two different manufacturers. register them both, use one for daily use and keep the other as a backup in case the first one fails.
even if both keys fail, you will still be able to log in with the TOTP app on your phone. if both keys fail and you lose your phone, you can login with the recovery codes.
print them out, or write them on a notecard, and store them the same place you store your passport and other important documents.
Oh dope, Aegis basically is what I was hoping to get recommended! Thank you
Any specific reason to go for keys from multiple manufacturers? Is the idea that they probably won't fail in the same way at the same time?
I use Google's Authenticator app. It generates a 6 digit code every 30 seconds that you have to enter when signing in instead of getting the code through text message. It's easy enough to use and you can easily copy and paste the code.
But Learn the lesson I didn't and keep all your backup codes in one place you'll remember. I was locked out of Discord for a year and then finally found my codes.
I'm not super read-up on their authenticator but please, for your own sake, make sure its all backed up and portable so you can extract it out if thingsever go South.
Too many people are using apps where they are locked in and vulnerable to the app/company intolerably altering their terms or its straight-up platform-locked.
KeePass [corrected from KeyPass] is ideal as the antithesis to all that but thats a whole othet discussion. Just be safe hehe
Edit: also make sure its e2ee and/or you've explicitly selected that option where available since its all technically accessible to Google and friends if you fail to do so
Apart from backup codes, you can also export the keys to another phone and throw that into a safe or whatever you think is a safe spot. At least that’s what I did some time ago… on the flip side, remember to delete the keys when you switch phones.
Can't comment on the form or function described here but I would be very wary of using the big ones like Microsoft/Google/Authy. If you need to ensure syncing is airtight and KeePass is too fiddly for you, Bitwarden is way better even if you only do premium ($10 folks, c'mon) for one year you only use it for that purpose (the TOTP) and then they will let you sync and use them forever technically, just won't let you add new ones until you renew.
Anecdotally, it took forever and its not at all clear it was reproducible for me to extract my Outlook secret from Microsoft Authenticator to use in my solution of choice. I get the positionthat maybe it shouldn't be too facile to the point it facillitates bad secret-handling but I'm past the point of good-faith with all of these monolithic serial privacy-and-user autonomy corporate bad actors.
Dedicated app, or, as I would recommend, a second KeePass kdbx database exclusively for that (hopefully complimenting the most correct choice of password management options you hopefully have ;)
In addition to Yubikey and the various apps, Standard Notes can perform this role for you.