I witnessed so many people lose access to their accounts because they wiped their phone that had an authenticator app, or they lost their physical 2FA tool.
1. You increase the risk of losing your entire life (if 2FA is properly implemented and avoids all social engineering process risks)
or
2. The 2nd factor devolves into a 2nd way to get access to your account
You really can't have both security and convenience.
> wiped their phone that had an authenticator app
try this one: battery dies in an iPhone. iPhone won't boot until battery is replaced. Battery can only be replaced at an Apple store. 2FA: do you feel lucky, punk?
Services like Authy address some of the loss of device issue, and always a good idea to have a backup token (e.g., yubikey) physically escrowed somewhere like a safe-deposit box.
But it is a whole lot of extra work to set up and maintain long-term, even with the best intentions.
+1 for Authy. Just get a used cheap Android phone for like $30 and use it as the backup device for Authy and never fear about losing your 2FA device again.
Does Authy actually offer 2FA? It sounds like the security boils down to your encryption passcode used to encrypt the 2FA secret, so you aren't actually using 2FA at the end of the day.
For personal use it probably is a good compromise for services which don't implement 2FA properly (that is to say, services that don't allow you to register multiple 2FA devices.) But realistically you might want to just disable 2FA and rely on your password manager.
I'm not sure what you meant by this, Authy certainly provides TOTP, and the encryption password is only used when you need to sync the 2FA secret to other devices, which by the way also requires confirmation using SMS to your phone number as well.
I usually take 2FA to mean that you have to use two of (something you have, something you know, or something you are.) If the "2FA secret" (TOTP secret?) is stored on multiple devices it doesn't actually prove ownership of "something you have" it's effectively no different from a password stored within a password manager which is considered simply "something you know." So basically the TOTP secret is a second password with some obfuscation that protects the password. But software running on one of your devices could easily steal the secret.
It does seem like this is somewhat more secure, in some sense, but it weakens the security that TOTP is intended to provide.
TOTP has always been a second password (heck, it's in the name). If you know the secret and the algorithm you can do the maths yourself in theory without needing any hardware, so in theory it can always be considered "something you know", even without all the syncing stuffs from Authy.
In any case I don't see how the Authy password can weaken TOTP. It's not like there's a webpage out there where you can enter the Authy password and it will give you back the TOTP secret for a specific user. It's only used to decrypt the TOTP secret if you choose to sync that secret to another new device, which again requires SMS verification, PLUS confirmation from an existing device, PLUS you need to have the sync capability setting enabled (so you can always sync the TOTP to your backup device first then disable the sync setting to prevent additional devices being synced).
Or just copy your TOTP codes to a second device without going via the internet.
I'm annoyed Google Authenticator makes it so easy to transfer accounts to a new phone, how will you know if someone's cloned your TOTP private key while you were sleeping?
Password managers such as 1Password and Bitwarden can save and fill in TOTP codes. Maybe not perfect security but a big win for convenience and loss prevention.
I have received advice from way to many people to not use your password manager as a 2nd factor be ause 1) It's actually become the only point if failure (your pw getting hacked). 2) Both factors protected and saved on the same spot
1Password in particular encrypts your vault with your master password and importantly an additional 128 bit secret key that is meant to be kept somewhere physically (e.g. in your safe). This key is needed the first time your vault is decrypted (e.g. a new device)
An attacker would need to have access to all of the following:
a) your encrypted vault
b) your master password
c) an 128-bit secret key
in order for the fears you've outlaid to be realised.
Really the only attack vector I can see is a physically compromised device (brute forcing is out of the question). In which case, they'd still need to somehow know your Master password and you're no more vulnerable considering your OTP is likely to be in an application on your phone anyway.
Since your own computer will typically have the vault unlocked, you don't need a+b+c. You can suffice with a circa 2000s Sony Music cd. Or any driveby malware, or malvertisement, etc.
Using the 2nd factor on another device as the first means attackers need to either compromise 2 devices, or compromise a single point higher up in the hierarchy (e.g., your google account).
If there’s malware on your PC that has complete access to your system memory you are screwed in every single way possible. I’m perfectly comfortable with having my OTP coupled with my passwords given this is the only real attack vector and requires an actively unlocked vault to expose secrets.
If this is the case, what’s stopping the malware from adding a key logger and MITMing your input to your bank’s website, Gmail or Coinbase?
> I also photograph the 2FA code or QR code and print it to a safe place.
This is really great advice.
I do something similar. I have a copy of the recovery codes (where possible) in an encrypted volume with multiple copies. Also printouts. The printouts have saved me once already.
Also, don't underestimate the utility of carrying around an encrypted SD card with things you want to retain access to!
I witnessed so many people lose access to their accounts because they wiped their phone that had an authenticator app, or they lost their physical 2FA tool.