Specifically, what is your preferred method of two factor authentification, etc ?
Ian wrote:
OK, so... what I did was set up 2FA by SMS, but I'm not sure I'd describe that as my "preferred" method, it was more an "Oh, I don't have a TOTP app on my phone... I'll just use SMS, that'll do for now." And I kinda meant to change that at some point... but then I never quite did.
Albrecht wrote:
> I'm using FreeOTP (
https://freeotp.github.io/) as I wrote before.
It's open source on GitHub.
> Rumors say that you can read out the "secret" from the phone though.
This may be a security issue (don't lose your phone).
I've been round and round the houses trying to decide how to proceed because
as I said, people have reported being locked out after overwriting recovery codes:
e.g. https://www.youtube.com/watch?v=LKGhViHLsbU
and there's also the hassle if you change/lose your phone.
As far as I can see, the commercial one-time-password tools/apps such as
Authy, 1Passwd, etc lock you into their own encrypted vault system stored on
their central servers and you have to start from scratch, with recovery codes,
then disable and re-enable 2FA on each account if you ever want to change tools.
The one I have found that seems more flexible, but I could be wrong, is
Aegis Authenticator ( https://getaegis.app/ ) another open-source tool.
Like FreeOTP it stores the vault locally on your phone, but Aegis also lets
you password-protect the vault, and export it elsewhere for safety.
I'm still hesitant about taking the plunge because the weakest part of the
system is keeping the recovery codes safe.
I'm wondering whether it will be enough to save copies of them in encrypted
folders backed up and in sync across several computers, hope that nobody
steals both phone and computer at the same time, and then use a password
that is "twinned with" the Aegis vault one on the phone so I won't forget it in
two year's time when I might actually need it, e.g. Laurel & Hardy :-)
Does anyone have a better suggestion? Or are you all using cloud-based
encrypted password manager systems anyway rather than relying on the
local system/browser to remember passwords for you?
D.