undefined | Better HN

0 pointsfoxyv11mo ago0 comments

Typically the way these codes are compromised is when they are stored in a non-HSM location like Google drive or transferred somehow. Then again, if you are just trying to keep people out of your Facebook account it's not a big deal. But if you are trying to keep people from financial accounts I wouldn't recommend transferring TOTP keys. Instead using a backup method like a printed out one time use sheet would be better.

Unfortunately most such websites use KBA or Text based authentication as a backup for TOTP so you may as well just stick it in Google drive.

0 comments

codalan11mo ago

It sucks Yubikey (or other hardware based auth) isn't more prevalent in the financial/banking world. It helps mitigate a lot of types of attacks:

- No tokens to exfiltrate off a computer

- Avoids keylogger style attacks

- More durable than cell phones

That said, for people that have high amounts of money in certain accounts (> 1m), it might also present physical dangers (e.g. kidnapping, home invasion) for thieves attempting to get access to the hardware key.

foxyvOP11mo ago

The rubber hose attack is always the most reliable and most dangerous method of breaching high value targets like this.

https://xkcd.com/538/

j / k navigate · click thread line to collapse