Hey #infosec people, what is your solution for MFA that is recoverable and mostly disaster resistant?
Consider that many services allow you to only add 1 MFA token.
Prefs/reqs
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap personally I use TOTP with Aegis ( https://getaegis.app/ ) on Android and KeepassXC ( https://keepassxc.org/ ) on PC. Both allow backing up and exporting the TOTP configuration and do not depend on third party servers for storage.
=> More informations about this toot | More toots from skyglobe@hostux.social
@skyglobe Thanks! Sounds good. I already use KeepassXC and Aegis is also available on Fdroid.
Any idea if you could store the DB on a cloud drive and connect to that with multiple devices like with KeepassXC?
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap @skyglobe Aegis has an option to automatically create encrypted backups that you can save for example to your Nextcloud folder.
But as far as I can tell there is no easy way to sync it to another device, unless you want to regularly import those backups
=> More informations about this toot | More toots from thasl@social.tchncs.de
@thasl is right. There's no easy way to sync Aegis and KeepassXC unfortunately. At least none that I know. @fschaap
=> More informations about this toot | More toots from skyglobe@hostux.social
@skyglobe @thasl I'd rather keep them separate, for sure!
You can point multiple Keepass instances to the same DB on a Nextcloud drive. They will sync because they use the same DB.
That is what I was wondering with Aegis about: can you point multiple devices (pc/phone) to the same DB?
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap @skyglobe I don't see any option to do that, and I also don't know of any other TOTP app that allows that. 2FA is most useful if the code is only locally available on a single device, I assume that is why.
Depending on how often you add new 2FA entries a manual import of the Aegis backup file might work for you - but you would need to import into another Aegis instance of course.
=> More informations about this toot | More toots from thasl@social.tchncs.de
@fschaap If you want to have the codes synced to your PC I would recommend the route @skyglobe mentioned, saving the secrets in a .kdbx (can also be a separate DB from your passwords), but that reduces usability compared to a dedicated app.
Also keep in mind, if your 2FA codes are available everywhere your passwords are available, the added security benefit is really small. A second factor should be as separate as possible
=> More informations about this toot | More toots from thasl@social.tchncs.de
@fschaap @skyglobe Related blog post from @1password on storing TOTP credentials alongside passwords in a password manager: https://blog.1password.com/1password-2fa-passwords-codes-together/
=> More informations about this toot | More toots from thasl@social.tchncs.de
@thasl @skyglobe Exactly, I want to separate them as much as possible... but I do also have to be able to use them easily and on the road if necessary, so that's a hard one to crack ;-)
=> More informations about this toot | More toots from fschaap@mastodon.social
@skyglobe @fschaap I do this, but the KeePassXC vault for TOTP tokens and backup data is separate from my password vault, and requires my Yubikey token to open. It's purely meant as a backup to Aegis.
=> More informations about this toot | More toots from jjbaumgartner@infosec.exchange
@jjbaumgartner @skyglobe Yeah, 2 vaults is an option. What is your backup plan for the Yubikey? Multiple ones added and one in a safe?
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap @skyglobe No backup for the key.
=> More informations about this toot | More toots from jjbaumgartner@infosec.exchange
@fschaap doesn’t match your prefs/reqs at all, but I store most MFA in my password manager (1Password), with the exception of some critical accounts (including the password manager). I’ve accepted my password manager as a single point of failure w/r/t security, and make sure I only use it on trusted devices.
=> More informations about this toot | More toots from ajn142@infosec.exchange
@fschaap not suggesting that as a solution to your case, just adding it as comparison point.
=> More informations about this toot | More toots from ajn142@infosec.exchange
@ajn142 Thanks! I know more people do, but it's not the solution I want to use.
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap best of luck with finding a solution that works for you!
=> More informations about this toot | More toots from ajn142@infosec.exchange
@fschaap KeepassXC voor wachtwoorden en TOTP codes, Firefox met plugin die het met elkaar koppelt.
Database op Nexcloud (eigen server) met keyfile+wachtwoord en versleutelde backup in Stack van TransIP (zonder de keyfile.....).
Alle wachtwoorden beschikbaar op zowel op Windows, Linux als mijn Android telefoon.
=> More informations about this toot | More toots from harld@masto.ai
@harld Ik heb vegelijkbare opzet voor mijn KeepassXC... maar ik heb geen zin in mijn TOTP codes in dezelfde 'wallet' als de credentials die daarmee juist extra worden beveiligd. Ik kreeg de tip van Aegis en dat ziet er wel interessant uit. Ga ik mee spelen.
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap Eens over de TOTP's.
Ik heb een tijdje Authy gebruikt maar die hebben geen desktop App meer.
=> More informations about this toot | More toots from harld@masto.ai
@harld Ik zie voor Aegis een Linux desktop app in de AUR. Ook in de AUR een Nextcloud TOTP provider. Misschien kun je die shizzle direct in Nextcloud inbouwen?
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap Van Aegis zie ik alleen een Android App.
=> More informations about this toot | More toots from harld@masto.ai
@harld avda-bin heet ie in AUR. 'Desktop app for viewing on-time passwords generated from Aegis Authenticator backups.'
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap TOTP with the secret seed written down in multiple places on paper rather than locked in some awful Google app.
I actually made a shell script to do totp from secret in text file: https://github.com/richfelker/totp.sh
=> More informations about this toot | More toots from dalias@hachyderm.io
@dalias Yep, trying to skip the Google stuff as much as possible. The script is a bit too barebones for my usecase :-) Paper backup certainly is an (additional) option worth considering.
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap You can put the secret in authenticator/password manager programs too, but I like having a fallback I know will work without anything else.
=> More informations about this toot | More toots from dalias@hachyderm.io
@dalias Absolutely. I have some offline/paper backups. You still need the digital vault though for the offline secret to have any use. But you'll reach escape velocity on hypotheticals soon when trying to come up with more failure cases. I think I am going to formulate a couple of success cases and solve that situation :-)
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap not the best approach*, but I use Google auth (with cloud backup disabled) to store the totp, back up the totp setup string in a keepassxc database, and sync that keepassxc DB with syncthing to other devices. Need to figure out recovery instructions for family though, ideally something with Shamir's secret sharing.
=> More informations about this toot | More toots from ni_nad@mastodon.social
@ni_nad Thanks for the pointers :-) I am going to skip over the Google app though. I was recommended Aegis and found FreeOTP(+) as TOTP apps to use.
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap I'll check Aegis and FreeOTP too, I've had the Google app since forever so it's been sort of a default choice.
=> More informations about this toot | More toots from ni_nad@mastodon.social
@fschaap I use Aegis on my phone, and let it write an encrypted backup. That gets synced to my computer via Syncthing. If my phone dies or needs replacing, I can simply restore that backup on a new device.
=> More informations about this toot | More toots from schmitzel76@mstdn.social
@schmitzel76 Thanks! Aegis was recommended and looks like good solution. Wasn't Syncthing discontinued for Android?
=> More informations about this toot | More toots from fschaap@mastodon.social
@fschaap the Ancroid app is nothing more than a wrapper/GUI for the background daemon. The official version was discontinued, but got replaced by https://github.com/Catfriend1/syncthing-android/wiki which is available on F-Droid
=> More informations about this toot | More toots from schmitzel76@mstdn.social This content has been proxied by September (3851b).Proxy Information
text/gemini