WingNews logo WingNews
top | item 45509546

(no title)

jwkerr | 4 months ago

Over the past few weeks I've been systematically migrating every one of my accounts to a domain under my control.

During the process I've been marking them in a spreadsheet with their 2FA status (no 2FA, TOTP, security key, etc.) and adding their passwords to a password manager.

This is all in case I ever need to go through the migration process again for whatever reason, or if I lose/break a Yubikey, I will know what I'm signed up for, and will know where to enrol my new Yubikey(s).

It really is a massive hinge for many people that isn't even really considered, most people's entire digital lives would be uprooted if they lost access to their email for whatever reason.

Thankfully that doesn't really ever happen to most "normal" people to my knowledge, since most just use Gmail, but I know it can and has happened through account bans or such.

discuss

order

EvanAnderson|4 months ago

Two factor tokens that can't be backed-up create stupid make-work.

Wouldn't it be great if Yubico let you back-up and restore a Yubikey?

It's maddening that they haven't come up with a reasonable way to allow a purchaser to register multiple Yubikeys to enable freely restoring backups between them. (Think of if analogously to buying multiple padlocks keyed the same from the factory.)

I'd prefer to be able to just set the same DKEK on the devices myself. Failing that I'd settle for Yubico being the arbiter. It would make the devices substantially more useful and less scary in loss / destruction scenarios.

Citizen8396|4 months ago

If the secrets are routinely copied or otherwise extracted, then it reduces their security value. What I recommend people do is buy two or more and set them up all at the same time. It is inconvenient though.

pabs3|4 months ago

Passkeys can be if you use KeePassXC to generate and store them.

TacticalCoder|4 months ago

> It's maddening that they haven't come up with a reasonable way to allow a purchaser to register multiple Yubikeys to enable freely restoring backups between them.

It is possible, using a cryptocurrency hardware wallet allowing to install tiny apps on the hardware wallets. These wallets are meant to initialized by a "seed" and there's a protocol to easily write down that seed (a list of words, all coming from a dictionary of 2048 words and the list of words contains a checksum in [part of] the last word).

Now from that seed, cryptocurrencies hardware wallet can derive any secret. And it's possible to derive a secret that's used like Yubikey.

So as long as you have your "seed" backed up somewhere, you can duplicate your 2FA key.

I did test the old U2F version, pre FIDO2/webauthn, using early Ledger Nano hardware wallets and it worked.

I think there's now a more recent version available but haven't checked that. A Ledger Nano S Plus, from their website, costs 70 EUR / 80 USD. I'd say it's not too pricey to try it and see if it could suit you. Check their available apps first and see if there's one that can simulate a Yubikey (or a similar 2FA security key).

I know HN loves to hate on cryptocurrencies but I'd say that at least the crypo-bros got the "you cannot trust your computer" part right. The attack surface of a cryptocurrency hardware wallet is not only minimal: it's minimal on purpose, built on the premises that computers were not devices to be trusted. They're literally built with the idea that they can be used on a compromised computer and you should still be safe, so there's that.