On Sun, 1 Sep 2024, Viktor Dukhovni via mailop wrote:
The flaw for me is that TOTP involves using phone apps I don't know
the provenance of, that back up the data in a format I don't know
to my "Google Drive", which is the most protected place I'd choose.
If the app I'm using stops being available, I don't currently a
have a good recovery plan. What do you use to keep your TOTP
data safe and sufficiently portable between "devices"?
For Android I use "aegis", which allows exporting the TOTP data, so you can save
the file anywhere.
I save that file in my local linux box (and in a remote VPS), encrypted with
gpg, and have a script which decrypts it and dumps the current TOTP codes using
the "oathtool" program (debian: oathtool package).
This way even if my phone is not available, I can still generate the TOTP codes
using any standard linux box (or ssh'ing to that VPS). This is (to me) as
portable as it gets.
Hope that helps!
PS: in parallel to aegis I also save the TOTP data in my self-hosted Bitwarden
(vaultwarden) instance.
PPS: recent events have caused me to (re-)consider how to deal with me not being
"available" and e.g. my wife having to take over the (large, unfortunately)
number of accounts "protected" with 2FA/TOTP. It's a serious DoS issue that
everyone should consider and plan for (IMHO anyway).
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
