Interesting article, this thought speaks to me a lot—as I’ve actually come to the same conclusion about 1-2 years ago! To me the bigger risk, or should I rather say possible inconvenience, is...
The second change was regarding TOTPs. Instead of creating and managing them in a specific app, I migrated them to the password manager.
Interesting article, this thought speaks to me a lot—as I’ve actually come to the same conclusion about 1-2 years ago!
To me the bigger risk, or should I rather say possible inconvenience, is losing what’s stored in the authenticator app due to wrecking my phone somehow. So I’m taking the hit in security (on paper) since I don’t think I’ll be a specifically targeted individual anytime soon, and have the convenience and peace of mind of having TOTP across devices via the password manager.
I think it's more likely (still hopefully not too likely) that one day the password manager service I use either gets hacked, or they just make a mistake, and unencrypted data gets into the wild....
...since I don’t think I’ll be a specifically targeted individual anytime soon
I think it's more likely (still hopefully not too likely) that one day the password manager service I use either gets hacked, or they just make a mistake, and unencrypted data gets into the wild. It's this thought that stops me wanting to put TOTP codes for my most important accounts into the same vault as where the password gets kept.
I saved those backup codes from TOTP setups in a second, offline password manager (KeePassXC). I need to remember a second password besides from my main password manager, but I prefer that instead...
I saved those backup codes from TOTP setups in a second, offline password manager (KeePassXC). I need to remember a second password besides from my main password manager, but I prefer that instead of paper. (I really don't like paper for important stuff 👀)
I don't particularly like saving the TOTP keys inside my main password manager for the hit in security, on paper like you said. But I also nearly lost access to all my TOTP keys by losing my phone...
I don't particularly like saving the TOTP keys inside my main password manager for the hit in security, on paper like you said.
But I also nearly lost access to all my TOTP keys by losing my phone one time, and I instantly revoked all my TOTP services with at the time the Google Authenticator which didn't support backup or transfer of keys..
But since then I created my TOTP "app" by creating my own encrypted storage and storing the keys themselves as files that I can backup and transfer everywhere.
Like I would with the KeePassXC file that I backup in a different place and transfer everywhere.
Interesting solution to the problem! Unfortunately I need access to the codes while on my phone too often for this to be viable, for my use case personally at least.
Interesting solution to the problem! Unfortunately I need access to the codes while on my phone too often for this to be viable, for my use case personally at least.
I don't think this logic quite holds. To my understanding, TOTP requires a shared secret key, similar to a password. But, unlike a password, it can't be stored in a hashed form on the server,...
The lock and key metaphor doesn’t account for a more likely scenario than password manager breach: password leaks by the services themselves. That’s what worries me most. Even in this “all eggs in one basket” arrangement, TOTP would remain useful. With the password but without the random code, my account that had its password leaked would remain secure.
I don't think this logic quite holds. To my understanding, TOTP requires a shared secret key, similar to a password. But, unlike a password, it can't be stored in a hashed form on the server, because the server needs the raw secret value to compute the TOTP. This means that in the event of a password leak or breach, it's pretty likely that the TOTP secret has leaked as well.
Yubikeys do not have this issue, since there is no shared secret between the Yubikey and the server. Interestingly, even SMS 2FA, which usually has a worse reputation than TOTP because of sim-swapping, is actually a little more secure here, because in this case the only thing that leaks is your phone number. An attacker would have to go further to perform a sim-swap against you (or otherwise have another vulnerability) to get access to your account. Obviously a Yubikey or passkey is still much more secure in this situation though.
Having TOTP in place still prevents an attacker from reusing your password on a different site, but if you're already using a password manager, I assume all (most of?) your passwords are unique anyway.
Abandoning the YubiKey was motivated more by convenience, or rather the inconvenience of using it, from frustrating scenarios (being out and needing to access a site or app dependent on the key left at home) to more routine ones that add up in frustration (the key being in another room of the house).
This is a legitimate complaint. The usual advice is to get several keys. You can keep one on your keyring, one at home, and get a small one to keep permanently in your computer (plus any other devices you regularly use). That kind of helps, which is good. Except, now when you create a new account, you have to register all of those keys individually. I wish there were a way to create a certificate of all of your physical keys that you could register with just one key physically present, that way you wouldn't have to manually register each of them individually, and could truly keep some offline.
The other problem here is it is expensive. One Yubikey is already $25-60, so getting 3 or more starts to really add up.
I did something roughly equivalent once with another brand of FIDO key because I wanted to be able to back up the master key. This sort of thing (backups, and duplication generally) needs to be...
I wish there were a way to create a certificate of all of your physical keys that you could register with just one key physically present
This sort of thing (backups, and duplication generally) needs to be possible for me to take an authentication method seriously. Theoretical security consequences be damned; you don't get to decide other people's threat models.
Interesting article, this thought speaks to me a lot—as I’ve actually come to the same conclusion about 1-2 years ago!
To me the bigger risk, or should I rather say possible inconvenience, is losing what’s stored in the authenticator app due to wrecking my phone somehow. So I’m taking the hit in security (on paper) since I don’t think I’ll be a specifically targeted individual anytime soon, and have the convenience and peace of mind of having TOTP across devices via the password manager.
I think it's more likely (still hopefully not too likely) that one day the password manager service I use either gets hacked, or they just make a mistake, and unencrypted data gets into the wild. It's this thought that stops me wanting to put TOTP codes for my most important accounts into the same vault as where the password gets kept.
I saved those backup codes from TOTP setups in a second, offline password manager (KeePassXC). I need to remember a second password besides from my main password manager, but I prefer that instead of paper. (I really don't like paper for important stuff 👀)
I've used an encrypted zip file to store the backup codes, and that I have backed up to multiple locations.
That's a good idea! Almost as the same of using a KeePassXC vault, but more accessible everywhere.
I think I've heard that the encryption used on ZIP files can be quite poor.
I like paper: it is easy, can't easily be lost or destroyed and it is fairly secure if you trust the people living with you enough.
I don't particularly like saving the TOTP keys inside my main password manager for the hit in security, on paper like you said.
But I also nearly lost access to all my TOTP keys by losing my phone one time, and I instantly revoked all my TOTP services with at the time the Google Authenticator which didn't support backup or transfer of keys..
But since then I created my TOTP "app" by creating my own encrypted storage and storing the keys themselves as files that I can backup and transfer everywhere.
Like I would with the KeePassXC file that I backup in a different place and transfer everywhere.
Interesting solution to the problem! Unfortunately I need access to the codes while on my phone too often for this to be viable, for my use case personally at least.
I don't think this logic quite holds. To my understanding, TOTP requires a shared secret key, similar to a password. But, unlike a password, it can't be stored in a hashed form on the server, because the server needs the raw secret value to compute the TOTP. This means that in the event of a password leak or breach, it's pretty likely that the TOTP secret has leaked as well.
Yubikeys do not have this issue, since there is no shared secret between the Yubikey and the server. Interestingly, even SMS 2FA, which usually has a worse reputation than TOTP because of sim-swapping, is actually a little more secure here, because in this case the only thing that leaks is your phone number. An attacker would have to go further to perform a sim-swap against you (or otherwise have another vulnerability) to get access to your account. Obviously a Yubikey or passkey is still much more secure in this situation though.
Having TOTP in place still prevents an attacker from reusing your password on a different site, but if you're already using a password manager, I assume all (most of?) your passwords are unique anyway.
This is a legitimate complaint. The usual advice is to get several keys. You can keep one on your keyring, one at home, and get a small one to keep permanently in your computer (plus any other devices you regularly use). That kind of helps, which is good. Except, now when you create a new account, you have to register all of those keys individually. I wish there were a way to create a certificate of all of your physical keys that you could register with just one key physically present, that way you wouldn't have to manually register each of them individually, and could truly keep some offline.
The other problem here is it is expensive. One Yubikey is already $25-60, so getting 3 or more starts to really add up.
I did something roughly equivalent once with another brand of FIDO key because I wanted to be able to back up the master key.
This sort of thing (backups, and duplication generally) needs to be possible for me to take an authentication method seriously. Theoretical security consequences be damned; you don't get to decide other people's threat models.