undefined | Better HN

0 pointsBrian_K_White3y ago0 comments

You can duplicate the totp too. Either save the initial seed generated by the site(s), or depending on the app it may provide a way to export the seeds.

You don't go through the setup process on the sites again. The sites have no knowledge that you have 1 or 21 new totp apps set up. You just enter the saved seed keys into the app and it starts spitting out the same correct codes as the other apps you already had setup.

Gnome authenticator can export a json file containing the keys to all the sites you have in it. You can then take those (just manually read them in a text editor), and enter them into Google Authenticator on a phone, and now you have 2 working authenticator apps, both spitting out the same correct codes every 30 seconds.

Further, you take that same json and paste it into a note in a keepass record, or save the individual seed keys in individual site entries just like the passwords, and copy that keepass db file all over the place including cloud drives, and including places you can access without the totp.

Now you can reproduce a working authenticator from scratch on any device at any time no matter where you are and no matter what happens to your phone or laptop. Buy a brand new phone or laptop, have a way to get a copy of your keepass db without needing the totp app, and in a couple minutes you have a working totp app again.

You never really have to even use the single-use emergency bypass codes. Keeping copies of the initial setup seeds is really no different from keeping copies of the emergency codes, but the setup seeds reproduce a fully working app not just a one-time access to a site.

And even if some app doesn't provide an export like gnome authenticator, you can also just record the key the first time it is generated instead of just scanning the qr code. Once you've saved it, you can use it as many times as you want.

0 comments

4 comments · 2 top-level

mook3y ago· 1 in thread

If you're putting it in keepass anyway, you might as well use it (either the original C# one with plugins or KeepassXC) as your authenticator app. Mobile keepass applications support the same.

Brian_K_WhiteOP3y ago

keepass (xc, and Keepass2Android) can act as a totp app? And displays or exports the seeds? I am ashamed to say it never ocurred to me to even look!

I don't think my android app can do it. I don't see anything about it in the ui and no plugin about it.

Not at my laptop to check keepassxc, but I'll obviously look when I can, so the question was rehtorical. Just wanted to say "what?!?! what is this you speak of?"

roxgib3y ago· 1 in thread

The disadvantage of this approach is that you can't invalidate those devices individually - if one is compromised (i.e. lost), they're all compromised.

Brian_K_WhiteOP3y ago

I don't see hlw this makes any difference vs a single device.

If I only have a single device set up, and I lose that device, I still have to go to all the configured sites, only now without my auth app.

What prompted me to figure out how to clone the setup was when my phone screen broke while away from home, and 2fa enabled on both google and Ting.

I couldn't even just buy a new phone because how could I migrate the number? Luckily I never had to find out if Ting has an answer for that, since I was able to get the screen replaced without wiping the phone.

I wasn't really screwed because I did have recovery codes for Ting in keepass, and had access to that. And that would have allowed me to move my number to a new phone, where I could once again receive sms to recover everything else. But I did not have recovery codes for anything else, because I just didn't fully understand the process when I first set them up, so for a few other things, I was maybe almost screwed if I couldn't regain access to that one special golden device.

So, no more one special golden device.

j / k navigate · click thread line to collapse

0 comments

4 comments · 2 top-level

mook3y ago· 1 in thread

If you're putting it in keepass anyway, you might as well use it (either the original C# one with plugins or KeepassXC) as your authenticator app. Mobile keepass applications support the same.

Brian_K_WhiteOP3y ago

keepass (xc, and Keepass2Android) can act as a totp app? And displays or exports the seeds? I am ashamed to say it never ocurred to me to even look!

I don't think my android app can do it. I don't see anything about it in the ui and no plugin about it.

Not at my laptop to check keepassxc, but I'll obviously look when I can, so the question was rehtorical. Just wanted to say "what?!?! what is this you speak of?"

roxgib3y ago· 1 in thread

The disadvantage of this approach is that you can't invalidate those devices individually - if one is compromised (i.e. lost), they're all compromised.

Brian_K_WhiteOP3y ago

I don't see hlw this makes any difference vs a single device.

If I only have a single device set up, and I lose that device, I still have to go to all the configured sites, only now without my auth app.

What prompted me to figure out how to clone the setup was when my phone screen broke while away from home, and 2fa enabled on both google and Ting.

So, no more one special golden device.

j / k navigate · click thread line to collapse