I saw people talking about YubiKey here a few weeks ago so I got curious. Unfortunately, I’m not seeing a lot of helpful reviews for it.

I’m personally getting tired of having to take my phone anytime I need 2FA for Okta but I don’t have a lot of super important accounts to secure so I’m going back and forth in deciding whether the 100+ euro investment (to get two so that there’s a duplicate) would be worth it.

How do you use your YubiKey in your personal life and do you think it’s worth your use case ?

I'm not new to two-factor authentication (2FA) as a concept, but available options and how they'd fit into a workflow has always felt somewhat opaque. Everytime I've been required to use 2FA, I've used SMS despite knowing how insecure that really is.

GitHub's 2FA requirement is about to lock me out of my personal account, so I figured it's time to get a grasp on this:

• What second factors are available to me and what do the workflows looks like?
  • Preferably these second factors wouldn't require me to sign up for some associated service.
• What are my options for redundancy?
  • Can I have multiple second factors?
  • Where are you supposed to keep recovery codes? (I've read that keeping them in your password manager essentially defeats the purpose)
• What happens if I screw up and lose my second factor? With services that just have password requirements, you can use your email to reset, are there analogous systems for 2FA?

After 11 years of life, Google Authenticator has added cloud backups for OTP keys in version 6.0.

Google Security Blog: Google Authenticator now supports Google Account synchronization

This is surprising news to me, because historically Authenticator had no way to backup keys by design. Here's a 2017 quote from a Google engineer who maintains Authenticator:

There is by design NO account backups in any of the apps. ^[source]

This design choice always made sense to me, as the point of 2FA is that you've got (1) something you know, and (2) something you have. The second factor should be tied to a physical device. If you lose the physical device, the second factor should be gone, and you'll need to use one of those 10-ish backup codes that we all definitely keep somewhere safe. I'm quite befuddled that Google is reversing this design choice and walking back their previously strong, security-centric design for the sake of user convenience in the case of a lost phone. I used to advise my friends and family to choose Google Authenticator over Authy for this specific reason.

If you want further reading, here's a PCWorld article with an altogether different tone than Google's announcement: Google Authenticator’s long-awaited cloud 2FA feature carries hidden risk

So:

• I keep all my passwords in my password manager (Bitwarden)
• All my 2FA codes are generated by AndOTP on my phone.
• My 2FA backup codes are also in Bitwarden, which I think is a bad idea, because that defeats the purpose of 2FA. So where should I put those?
• I have my Bitwarden 2FA backup code in my wallet and in a safe at my house. Is that a good idea for the other backup codes?
• Is there anything I'm forgetting here?