undefined | Better HN

0 pointsjjav4y ago0 comments

> If I wipe my phone, I have permanently lost all of my TOTP codes if I wasn't careful and backed them up manually before wiping...

Do not, ever, store the TOTP seed in your phone! At least not as the one and only location.

0 comments

5 comments · 2 top-level

g_sch4y ago· 2 in thread

I think this is good advice but it also shows why using TOTP as a default 2FA mechanism (instead of SMS) is a tough sell. How many people are set up to store a TOTP seed in a location other than their authenticator app? How many people even know what a TOTP seed is? I would wager that the vast majority of non-HN readers think of TOTP as a QR code that you scan into an authenticator app, if they are even familiar with authenticator apps.

SMS, for all its security shortcomings, is at least something that the vast majority of people understand already.

jjavOP4y ago

> SMS, for all its security shortcomings, is at least something that the vast majority of people understand already.

But of course SMS suffers of the same problems as naive use of TOTP: Lose your phone, you're locked out of every account you have.

So in the worst case, TOTP is as bad as SMS. But, with some awareness/education TOTP is far superior if the user doesn't fall into the trap of attaching the TOTP seed to a phone.

i.e. for the aware user, TOTP is far better. For the naive user, TOTP is no worse than SMS. Thus, always favor TOTP.

gabereiser4y ago

Email would be preferred. SMS shouldn’t be the default. If I lost my TOTP tokens, I should be able to go through a tougher path with an email verification step to get in to redo my tokens. What I don’t want is for them to send me an SMS to verify me. What if I’m in a different country? What if I don’t have cell service? What if I don’t have access to my phone and that’s why I’m rotating all my stuff?

netik4y ago· 1 in thread

why? what is your threat model that makes this a problem? are your passwords equally insecure?

pimterry4y ago

Somebody steals your phone. Now you have lost access to all TOTP and you can't log into anything with 2FA.

This isn't about an attacker getting access to your TOTP codes - it's about you losing access to them.

j / k navigate · click thread line to collapse