Ask HN: How do you manage personal 2FA and password security?
I use Bitwarden with Aegis for my OTP codes (as often as SMS 2FA is avoidable) but have always felt completely secure that if I lost my electronics, I'd keep access to my information. Bitwarden had no 2FA, just a high quality password, so that could be relied on so long as I didn't take unnecessary risks on any device on which I access Bitwarden.
However, Bitwarden just warned me they'll soon require 2FA and it got me wondering about a circular 2FA issue (since they suggested using email 2FA, which requires 2FA itself).
Should I store a USB key with my 2FA code strings from Aegis somewhere at my parents? Should I invest in 2 cloned physical (programmable) 2FA keys for accessing my master vault? Should I opt for FIDO2 keys?
What do you do?
5 comments
[ 2.8 ms ] story [ 8.8 ms ] thread> Should I store a USB key with my 2FA code strings from Aegis somewhere at my parents?
Using my parents as a sample, they have a fire-safe, and most of those work by keeping the temperature from getting too hot for paper to ignite, which is hotter than what will ruin a USB stick. (In fact, a melting/flaming USB stick inside might ruin all the papers near it too.)
So I'd consider printing it out on paper (large font, multiple times repeats?) and storing that paper instead. You could even lightly-encrypt it with some "I can decrypt this in a line of Python" method, if you're feeling extra-paranoid.
Out of curiosity, do you actually store a paper copy in their safe?
I use KeepassXC (not a remote service, so no 2FA) which is also wrapped inside an passphrase+AES encrypted .7z file, since I want to bundle it with other stuff like tax records.
In terms of backups:
1. Along with most of the rest of the disk, the .7z is backed up to a remote service, and I ought to have memorized the credentials for that buuuut I think I've forgotten.
2. I periodically make a copy of the encrypted stuff onto a rugged USB stick on my ever-present physical keychain. The USB stick also contains portable copies of the software needed for opening it. (Yes, there's an evil-maid-attack there if someone replaces those binaries.)
I figure this protects me from "apartment burns down" provided I can find a trustworthy computer to use. I might also be able to open it on my phone if I can find trustworthy apps.
The fundamental problem is that the Internet is not a "high trust" society, so security is onerous. There is no great solution. Sadly, passkeys are not an improvement.