undefined | Better HN

0 pointsdnr9y ago0 comments

I recently turned on 2FA on a bunch of accounts (nine total) and ran into the same problem. My solution was to save the initialization QR codes and print them on a piece of paper (actually three copies, stored in separate locations). This involved a bunch of screenshotting and messing around in gimp and was in general a big pain. But if my phone dies, restoring my 2FA setup will be much simpler than using backup codes: I just have to scan codes; the account providers aren't involved at all.

(I do also keep a few backup codes for the most important accounts in my wallet.)

I know Authy can back up 2FA state to their own cloud, but it's unclear how secure this is: they let you restore codes onto a new phone with the same number, and apparently even to a brand new phone (https://www.authy.com/phones/change/). So it seems like stealing a phone number would allow an attacker to steal 2FA codes stored in Authy.

(What I'd really like is a TOTP app that let me back up its state into a single giant QR code or a small file that I could print out in hex and scan+ocr later.)

0 comments

AdmiralAsshat9y ago

>So it seems like stealing a phone number would allow an attacker to steal 2FA codes stored in Authy.

You're required to set a password on your Authy database before you can start adding tokens to it. So when I transferred my Authy database to a new phone (had to send in the old one for a replacement), I had to confirm the password before it would sync to the new device. Authy also bugs you about once a month to confirm your password phrase to make sure you don't forget it.

Additionally, you can set a PIN that Authy will prompt you for any time you try to open the app. I have that set, as well, so that even if someone should get past my lockscreen, they can't reach my 2FA tokens without another PIN.

twr9y ago

> You're required to set a password on your Authy database before you can start adding tokens to it.

That's not true. Passwords in Authy are for backup, which is optional. Backup synchronizes offline TOTP secrets between paired devices. Only the offline TOTP secret is encrypted; the token name is not.

"Authy Account" secrets, the ones created by the Authy API, used by Coinbase, Cloudflare, et cetera, are always stored remotely, and can be restored without-password to anyone with possession of your phone number and email account.

I wrote about this a little over here:

https://news.ycombinator.com/item?id=12603380

__david__9y ago

I did a similar thing except I converted the QR codes to unicode-art and saved them in a GPG encrypted file. It's probably not as safe as hardcopies in a safe, but it's more convenient (and it was fun reading QR codes out of a terminal window).

Authy makes me a little nervous (since it's closed source and I can't be sure exactly what they are doing), but at least they claim to encrypt the keys on the phone before they put them on their servers. They state on their site repeatedly that if you forget your encryption password the keys are gone and they can't do anything about it.

j / k navigate · click thread line to collapse