top | item 44044618

(no title)

codalan | 9 months ago

It's only a security issue if you don't secure the cloud storage that's used for backups.

Google Authenticator and some other 2FA apps allow the user to export their tokens to other apps so you don't need to redo TOTP on every website.

The most secure method is to only have tokens on the 2FA device and to avoid using TOTP backup/restore altogether (or manually copy the tokens on a secondary 2FA device). It's a tradeoff between security vs. convenience.

discuss

WorldMaker|9 months ago

I think Microsoft Authenticator is the smartest right now because it's a "two-cloud" solution partly out of necessity, but also that seems a trustworthy architecture more generally. Since almost no one's phone runs Windows anymore, the raw app data backups "naturally" go to either iCloud or Google Drive. Then Microsoft keeps other (HSM) decryption keys in OneDrive. The threat model requires compromises of two clouds, so Microsoft Authenticator can be way more generous on how often and easily it backs up. It's an interesting point in the security vs. convenience tradeoff.

foxyv|9 months ago

Yeah, the iron triangle of security, convenience, and privacy rears it's ugly head again.