undefined | Better HN

0 pointsByteJockey4y ago0 comments

TOTP isn't inherently tied to phones.

0 comments

8 comments · 1 top-level

Alupis4y ago· 7 in thread

No, it's tied to the app because the initial secret is destroyed after you set it up. Every single Authenticator App I've used (which is not all of them admittedly), requires manual backups - typically in some printed form.

All of my other apps automatically back themselves up, or Apple/Google backs things up for me. When I get a new phone or wipe my phone... after logging into all my account I fully expect my Authenticator app to show up on my home screen and have all my codes in there exactly as I left it before.

This is a huge pitfall for the unaware... you will lose all of your codes, and potentially access to whatever services or things they were protecting.

happyopossum4y ago

Authy, 1password, bitwarden, and others back themselves up. If not having a cloud backup is a negative for you, pick a TOTP app that does have it - it’s not a failure of TOTP that the few apps you’ve used don’t back up (or you aren’t aware they do).

jjav4y ago

> No, it's tied to the app because the initial secret is destroyed after you set it up.

TOTP is not tied to any app. When you set it up, save the TOTP seed in a secure place that you control. There is no need to rely on any app, which would be too fragile to consider.

howinteresting4y ago

Use 1password or Bitwarden. They correctly back up TOTP secrets to the cloud.

I consider Google Authenticator to be unacceptably bad.

Alupis4y ago

This is good advice, and I will look into Bitwarden for myself personally, but this isn't a great solution for non-techies... which is the problem with anything that is not SMS 2FA.

We all agree SMS 2FA is not as secure as we'd like it to be... but no alternative exists. It's the classic sliding scale between usability and security. The most secure system is one you cannot use... and the most usable system is one with no security. We need something that is very usable, and still secure... perhaps a tall ask but that is indeed what we're after.

Until then... regular people will continue to use SMS for 2FA. We should be happy people are at least comfortable with SMS 2FA instead of not using 2FA at all.

joshuaavalon4y ago

Most of the services provide backup codes when you enable 2FA.

I don't think that's a huge problem.

account424y ago

Even if they don't, you can backup the QR code used to set up the app.

sigstoat4y ago

i agree that the authenticator app stuff is fraught for the average user.

> No, it's tied to the app because the initial secret is destroyed after you set it up. Every single Authenticator App I've used (which is not all of them admittedly), requires manual backups - typically in some printed form.

i scan the QR codes with a normal code reader, and then put the information into keepassxc. i can view the secret, generate codes, do whatever, and it's all with decent open source stuff and stored in a file i can back up.

j / k navigate · click thread line to collapse