Ancestors

Written by Frank on 2025-01-31 at 13:08

Hey #infosec people, what is your solution for MFA that is recoverable and mostly disaster resistant?

Consider that many services allow you to only add 1 MFA token.

Prefs/reqs

ideally no 3rd party service

can use private cloud storage though

don't store MFA with regular creds

can be (on) a device (app or physical)

MFA can survive device dying or disappearing

backupability is a pro

Linux compatible if applicable

can ideally be inherited and used after owner's (un)timely demise

=> More informations about this toot | More toots from fschaap@mastodon.social

Written by Ninad Pundalik on 2025-01-31 at 14:18

@fschaap not the best approach*, but I use Google auth (with cloud backup disabled) to store the totp, back up the totp setup string in a keepassxc database, and sync that keepassxc DB with syncthing to other devices. Need to figure out recovery instructions for family though, ideally something with Shamir's secret sharing.

=> More informations about this toot | More toots from ni_nad@mastodon.social

Toot

Written by Frank on 2025-01-31 at 14:34

@ni_nad Thanks for the pointers :-) I am going to skip over the Google app though. I was recommended Aegis and found FreeOTP(+) as TOTP apps to use.

=> More informations about this toot | More toots from fschaap@mastodon.social

Descendants

Written by Ninad Pundalik on 2025-01-31 at 14:47

@fschaap I'll check Aegis and FreeOTP too, I've had the Google app since forever so it's been sort of a default choice.

=> More informations about this toot | More toots from ni_nad@mastodon.social

Proxy Information

Original URL: gemini://mastogem.picasoft.net/thread/113923460134561829
Status Code: Success (20)
Meta: text/gemini
Capsule Response Time: 352.698512 milliseconds
Gemini-to-HTML Time: 0.700633 milliseconds

This content has been proxied by September (3851b).