Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That behaviour is literally what this article is discussing trying to stop:

- Documentation: Warn users not to save their QR codes

- Documentation: Tell users to only provision one device

- Documentation: Suggest TOTP applications that don’t support unencrypted export

Why are we telling people to use 2FA if we then immediately remove the security benefits by telling them to treat it like a password?



The "Warn users not to save their QR codes" was to address the issue of users who might "Screenshot their TOTP QR codes and leave them lying in their Downloads folder". I don't see how that is necessarily applicable if, say, I print the QR code and save it in a safe deposit box, where I also have my FileVault recovery key and my 1Password Emergency Kit.

I also don't really understand the "Tell users to only provision one device" point. If the device is one like the gemalto thingy that we use at work to login to AWS, then sure, I can see why having more than one is bad for a given login. That shows the code to anyone who presses the button. If you had two, you'd need to keep both of them under your control at all times, and then there would be a decent chance then that if you lost one or destroyed one, you would also lose or destroy the other at the same time, so having two might not even gain you much in reliability.

But what if the devices are my iPhone and my iPad and my Apple Watch? They have pretty strong protections to prevent a third party from using them if I lose them. The consensus seems to be that unless I'm targeted by a government, a lost modern Apple mobile device with a long passcode is not going to cough up its secrets.

(Well...at least an iPhone or iPad. I think Apple Watch defaults to automatically unlocking if you are wearing it and unlock your iPhone. That might be exploitable if the person in possession of your watch can put it on and arrange to be close to you when you unlock your phone. I wonder what the range is for that? Would it work through a typical office wall?).


None of those points above address what I said, nor should they because TOTP should allow for disaster recovery.

To allow for disaster recovery the keys used to generate they TOTP codes must be storable somewhere.

The article is creating a strawman by suggesting to screenshot QR codes and leave them in the downloads folder. It's perfectly reasonable to save keys in a secure manner.

It's also giving borderline bad advice of trying to engineer in an unrecoverable state should a single device fail. That's a poor suggestion to give under any circumstance.

Saving TOTP keys into a separate dedicated encrypted vault under physical security is absolutely a valid method of allowing recovery from a device failure.


That's what recovery codes are for.

If you're ok storing the TOTP key, you could just store a recovery code instead. Recovering an account is generally audited, so this is more secure that just provisioning another device.

My point is just that it's still a lot of effort to recover, and we're basically encouraging people to undo the benefit of MFA by storing the TOTP key/recovery code right next to the password they used to get through the first factor...


There's no functional difference between the two codes in terms of account access. And I dispute the claims of 'audting'. No service cares. As long as you give a correct code then in you go.

So why use recovery codes and then have to keep them secure with the drawback of resetting up every lost account when you can put the exact same amount of effort it to storing and securing the original key and re-setup all accounts in a few minutes?

I speak from personal experience on this topic as to which is easier and how the effort to store and secure recovery/original keys is exactly the same.


>There's no functional difference between the two codes in terms of account access

Are you sure?

The last time I used a recovery code I got an email and my 2FA immediately stopped working.

If I have your TOTP key I can use your 2FA without you even knowing, even while you use it. It effectively gives me an unlimited backdoor into that account.


> Are you sure?

No, because I haven't tried every service. What I do know is that key services I have notify me of every single login that is made, so I'd know anyway.

Plus, one has to examine at which point back up the chain the problem might occur or be spotted.

In this instance you've managed to access my TOTP keys, which means you've hacked and broken the encryption on the password manager or you've got malicious code running on my device. Or you have physical access to a running and unlocked machine.

In either of those cases I'm already truly fucked.

I would imagine that any scenario where I managed to get hold of your recovery keys would involve the same things, so you'd be truly fucked.

So in that sense there's no functional difference in the way I have things setup for me.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: