| |
| |
On 11/20/21 4:24 PM duncan wrote:
I wrote:
Specifically, what is your preferred method of two
factor authentification, etc ?
Ian wrote:
OK, so... what I did was set up 2FA by SMS, but I'm not
sure I'd describe that as my "preferred" method, it was
more an "Oh, I don't have a TOTP app on my phone... I'll
just use SMS, that'll do for now." And I kinda meant to
change that at some point... but then I never quite did.
Albrecht wrote:
> I'm using FreeOTP ( https://freeotp.github.io/)
as I wrote before. It's open source on GitHub.
> Rumors say that you can read out the "secret" from the
phone though. This may be a security issue (don't lose your
phone).
I've been round and round the houses trying to decide how
to proceed because
as I said, people have reported being locked out after
overwriting recovery codes:
and there's also the hassle if you change/lose your phone.
I watched the video. I agree that it's somewhat confusing if you
create new recovery codes but don't complete the setup and these
recovery codes are not valid (the old ones are still valid). OK,
that's a warning. A good warning. But once you know that you should
be able to do the right thing.
As far as I can see, the commercial one-time-password
tools/apps such as
Authy, 1Passwd, etc lock you into their own encrypted vault
system stored on
their central servers and you have to start from scratch,
with recovery codes,
then disable and re-enable 2FA on each account if you ever
want to change tools.
Whenever I set up 2FA I'm trying to get the original values (secret,
timers, etc.) from the output. GitHub, for instance, lets you
continue w/o using the barcode in a "text mode" where you can see
all setup parameters. You can also scan the barcode (of GitHub or
any other system) with a standard QR code reading app and view the
text which contains the setup. One way or the other, I store the
parameters for myself in a safe place.
If it happens that you want to change your password / 2FA storage
app you can access the original parameters and enter them into the
new system. You don't need to setup 2FA on any system again to get
*new* parameters and store those. Unless you don't trust your
previous cloud provider and *want* to set up new 2FA parameters
which is a good choice anyway.
The one I have found that seems more flexible, but I could
be wrong, is
Like FreeOTP it stores the vault locally on your phone, but
Aegis also lets
you password-protect the vault, and export it elsewhere for
safety.
I'm still hesitant about taking the plunge because the
weakest part of the
system is keeping the recovery codes safe.
Yor can always print them on paper and store this in a safe outside
your home for additional safety.
I'm wondering whether it will be enough to save copies of
them in encrypted
folders backed up and in sync across several computers,
hope that nobody
steals both phone and computer at the same time, and then
use a password
that is "twinned with" the Aegis vault one on the phone so
I won't forget it in
two year's time when I might actually need it, e.g. Laurel
& Hardy :-)
A piece of paper in a safe place ... (?)
Does anyone have a better suggestion? Or are you all using
cloud-based
encrypted password manager systems anyway rather than
relying on the
local system/browser to remember passwords for you?
I don't trust clouds. I'm storing my passwords in a local password
manager (KeePassXC) in an encrypted password database. I'm
maintaining the database mostly on one system and copying it to
other systems when I think I need it (new or changed passwords).
This maintenance burden is the price I'm paying deliberately for not
storing my passwords "in the cloud".
KeePassXC can also export all data to either csv or html. I'm doing
this as well from time to time fo be able to view everything.
KeePassXC warns and asks for confirmation to store the data
unencrypted. This is not an issue for me because I store it on an
encrypted volume. I store backups of my encrypted files on several
external disks (of course, encrypted as well).
Does this qualify as a "better suggestion"?
BTW: since KeePassXC can also store your TOTP (2FA) parameters and
generate the tokens this can also be used to store the TOTP
parameters in an encrypted database. But, of course, take care to
not store both factors (password and 2FA parameters) in the same
database that's unlocked with one password. Paranoia is greeting ;-)
PS: since you (Duncan) and Ian mentioned Aegis Authenticator I'll
take a look at this too, thanks for the hint.
--
You received this message because you are subscribed to the Google Groups "fltk.coredev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fltkcoredev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/fltkcoredev/5e617505-d835-7248-c6ae-a05e8bc17727%40online.de.
[ Direct Link to Message ] | |
|
| |
