Ask HN: How many 2FA tokens do you have?
I currently have 43 TOTP tokens in an app.
That feels like a lot, and is starting to get unmanageable.
I also have a handful of services tied to a Yubikey. But I've no way of knowing how many.
So, how many do you have?
67 comments
[ 3.3 ms ] story [ 130 ms ] threadPassword-store features git push and pull so I keep my encrypted passwords and TOTP keys on a couple remote Git servers. Because I use passwords that I don't know for every service, the Yubikeys are really more about being a safe way to back-up and transport my encryption key. If I've got that, I can always decrypt my passwords.
Like, if you're at work and sign up to a new service - how do the other two get associated?
Sorry if that's an obvious question.
I mostly generate passwords and add entries to my password manager from a computer but I've got all the required public keys on each device so it's theoretically possible to manipulate the password-store from a phone or tablet as well.
Unrelated but no joke I have something like 600-700 accounts stored in LastPass
One service I use has four separate 2FA tokens to use with different service functions, and I have one account for me and one for my wife, so that single service accounts for 8 of 21 Authy tokens.
I try to avoid 2FA. I have other strategies around account compromise.
More via phone number 2FA as well!
And a lot of passwords saved.... my app doesn't give me a count. Probably need to look on desktop :-)
I manage them with this:
https://github.com/pcarrier/gauth
I also have a handful of yubikeys for more secure things.
I personally like to keep it in my iCloud account because I don't trust myself with keeping a private key for too long.
[1] https://webauthn.io
From the replies it sounds like this is talking about client software? An unattended client should not be able to do WebAuthn as the whole point is that a human is present and authorising the authentication step - this is part of its defence against remote attackers, if I have 100% full of Bob's device I still can't touch the sensor or button to authenticate as Bob.
However, if you mean the human is present and running command line apps, that's fine, definitely possible. The authenticator is typically a USB device, it speaks HID (like a USB keyboard or mouse) but a specific custom HID protocol for this purpose, you can get a library to help talk to it, and that's how OpenSSH works with Yubikeys.
Now, OpenSSH is specifically telling the authenticator "I'm SSH, not the Web" but for "Rubygems on the command line" you could choose either to say "I'm a web browser" or, you could say "I'm this custom rubygems on the command line thing" and that gets you public key signed messages that are unique to your thing, verifiable by a remote system as not "WebAuthn" but "Custom rubygem thing".
Apple and Google (for the Android ecosystem) actually do all this today for phones, if you use a Web browser you get WebAuthn, but from a normal phone app you can do the exact same Usernameless/ Passwordless login like WebAuthn, but using a custom per-app message that can't be impersonated by other apps on the same phone.
> From the replies it sounds like this is talking about client software?
Yes the command line is a client to the rubygems server
> An unattended client should not be able to do WebAuthn as the whole point is that a human is present and authorising the authentication step
You either need a PIN, a fingerprint, a press, or no action just owning the device or the software.
> if I have 100% full of Bob's device I still can't touch the sensor or button to authenticate as Bob.
If you have a perfect copy of a Yubikey or the same fingerprint you should be able to authenticate I think
> OpenSSH works with Yubikeys
Nice, I will look into it
The latter option shouldn't work for WebAuthn. The authenticator signs a message, saying basically "I promise I'm still me, whoever that is" and although it is nowhere near smart enough to understand the whole message (your browser wrote big parts of the message and it's just signing) it does understand a handful of bitflags it is signing. One of those flags is named UP (User Present) and the hardware should refuse to sign this flag unless it has seen some sign (like a touch sensor) that a human is present. UP is mandatory in WebAuthn, the remote server will (should) check it, and even though it's a single bit it was signed, so you can't change it.
However even if you don't want to actually do WebAuthn, most Security Keys always do UP, there is no way to tell them "Don't check your sensor", it's just mandatory. I think this is even true with the relatively expensive Yubico devices (but I only own some cheaper ones)
The next flag, UV, you can avoid, that's User Verified, which means a PIN, or a fignerprint sensor or something that demonstrates it wasn't just any old human it was apparently our owner, you don't need to require that and cheaper devices generally can't do it anyway.
> If you have a perfect copy of a Yubikey
There's no reason to be able to copy them. They're not intended to be able to be copied. You'll notice (if you have one) that there is only a "reset to factory" type feature, which randomises the guts. So, probably Yubico can't do it. Now, maybe if you've got a micro-electronics lab, the sort of place that reverse engineers modern chips to figure out how Intel or Apple or whoever did it, you could take a Yubikey to pieces, get the data out, and then make two clones that way, but first you need to steal the real one, for some period of time, and then put back one of the duplicates. Makes a good Hollywood plot, not sure it's realistic.
> or the same fingerprint you should be able to authenticate I think
You can't send the fingerprint over the network, the device looks at it locally, and only checks "Yup, that's the one I expected" before signing UV. So you need to send the actual finger. Now, maybe your attacker has a drone carrying a severed finger or something but we're getting pretty far away from teenager hacking thousands of accounts from their bedroom here.
Authy seems to sync between the 2 devices I have with it installed (which indicates that it's stored "in the cloud").
I always have second device mirroring the important stuff on my primary device. Usually my most recently replaced phone.
[1] https://github.com/tadfisher/pass-otp
[2] https://www.passwordstore.org
Reinstalling the app didn't seem to revive the tokens, last time I tried.
If it could be on multiple devices then I could set up an old phone and have it as a backup.
Edit: I’m wrong. You can sync two Authenticator apps using the same QR code during setup.
My BitWarden account is secured by Yubikey, of which I have two.
Knowing my passwords and 2FA are protected and backed up is a huge relief.
I guess this means that any attacker will need to compromise your keepass database rather than just one of your other passwords, but it would help avoid a potential "hosed" scenario.
Maybe you think you're more likely to lose your phone then leak your master password? Perfectly reasonable I suppose :)
My master password has hundreds of bits of entropy and only leaves my brain to enter it.
Most likely bad scenario is master password gets lifted from a keylogger and the database is stolen. I don't see what keeping the secrets in an app does to help that though.
[1] https://strongboxsafe.com/ [2] https://keepassxc.org//
EDIT: Exactly as petepete said. Multiple FIDO tokens like Yubikeys are supported.
Mostly cloud services, version control, email.
The things I hate about the 2FA process:
1) requiring a phone number, especially only having SMS for 2FA like my foreign bank (I've reported the issue with SIM swapping with them on support and in person, but considering their system still isn't UTF using a very old encoding so I can't even type a comma in a message without errors, I'm not holding my breath)
2) not offering WebAuthn, especially as a big firm
3) Supporting specifically Yubikey and not FIDO2/WebAuthn
4) using some bullshit closed-source wrapper around TOTP like Symantec VIP that doesn't have a Linux client and requires me to use some random Python script to get spoof a Mac system to get a code (thanks Schwab)
If Symantic wants to see TOTP as a service that's fine, I guess, but I just picture an astronaut with a gun saying it was just TOTP the whole time. Meanwhile they try to sell hardware keys around the obscurity layer of their product.
Well, two, technically, but I'd lost them long ago.
https://www.mymooltipass.com/
They are getting a bit hard to handle mostly because my app (authy) doesn't have a good enough set of icons