this post was submitted on 05 Jul 2024
208 points (99.1% liked)

Technology

59555 readers
3421 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] 9point6@lemmy.world 2 points 4 months ago (1 children)

(reposted from another comment mentioning aegis)

Interesting, I've seen this one before but it didn't seem like it would support my deal-breaker scenario—I still can't seem to see support for that on the readme, could you point me at some docs?

[–] kambusha@sh.itjust.works 2 points 4 months ago (1 children)

I think the suggestion here is to back up Aegis. I do something similar using Aegis + SyncThing.

I have a folder on my phone that is synced with my PC. Every so often, I will back up Aegis to that folder, and then it automatically syncs to PC.

[–] 9point6@lemmy.world 4 points 4 months ago (1 children)

Oh, in that case it's not quite equivalent, because my cloud storage is protected by the two factor code stored in my Authy OTP database.

I would still need to access the OTP database before I could access the cloud storage, which is where it would be stored in this scenario.

[–] WhatAmLemmy@lemmy.world 4 points 4 months ago* (last edited 4 months ago)

Forget your existing cloud. Your 2FA backup doesn't need to be protected by 2FA; just encryption and a strong/unique passphrase. Your 2FA backup can't be used to access any account on its own, without each password. Most OSS E2EE services allow you to create a free account; many without an email. Pick 2 for redundancy, create a NEW account, and set a NEW passphrase (like your 2nd "master" password). Before you transit upload your OTP backup to both of them.

This approach is probably more secure than SMS to access 2FA, especially vs a closed source provider like Authy, and especially if your 2FA export is also encrypted with a different password. If you're already using a password manager and unique passwords for everything, you're already 95% more secure than everyone else, and removed the primary need for 2FA (password reuse and theft). If you're doing everything else right, 2FA only makes you 5-10% more secure, and covers far less-likely threats (email takeover, MITM, etc). Sys admins have been raw dogging SSH and PGP keys every day without a 2nd factor, for decades.