Viktor Dukhovni wrote: >The flaw for me is that TOTP involves using phone apps I don't know >the provenance of, that back up the data in a format I don't know >to my "Google Drive", which is the most protected place I'd choose. > >If the app I'm using stops being available, I don't currently a >have a good recovery plan. What do you use to keep your TOTP >data safe and sufficiently portable between "devices"?
Firstly, the raw data for a TOTP shared secret is a simple string, something like:- OI2WA2TLPFTWOYTSGZSXG2LJPE which is also presented as a QR code when enabling TOTP 2FA. When enabling 2FA, the text can often be got by saying one can't scan the QR code. The important thing is to have retained a backup of this raw data, in an appropriately secure/encrypted place. This backup is NOT used as part of any logging in. As I choose not to have a smart phone, I use a Yubikey with Yubico Authenticator in my laptop (Linux Mint) as the primary TOTP client. This is configured to require a presence touch to generate the code. One issue with the Yubikey is that (by design: a good choice in my view and one shared by many TOTP clients), one cannot extract the key. I therefore use OTPClient (https://github.com/paolostivanin/OTPClient) when first setting up 2FA. This can read/import both QR codes and the text version, and (more importantly) provides an export option to deliver a backup of all the codes held in text format (I use freeotpplus format). From that secure/encrypted backup, the key can then be imported to the Yubikey for day to day use. For smart phone owners, one could easily use an app on a smart phone instead of the Yubikey. OTPClient is Linux only and has packaged builds for a number of distributions, some being part of the official repo. It does seem to be in active development. For Windows, Winauth (https://winauth.github.io/winauth/download.html) would seem to be a suitable alternative, although its development appears less active. In summary, the approach is to backup the raw shared secret whenever setting up a new TOTP 2FA separately from adding it to the client used for day to day operations. At it simplest, this could simply involve saving screenshots of the QR codes. This approach allows setting up the same TOTPs onto a different device/software combination in the future. Hope this helps some folks... Best wishes, Matthew _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
