On Wed, Sep 4, 2024 at 6:47 AM Bernardo Reino via mailop <mailop@mailop.org> wrote:
> On Sun, 1 Sep 2024, Viktor Dukhovni via mailop wrote: > > > The flaw for me is that TOTP involves using phone apps I don't know > > the provenance of, that back up the data in a format I don't know > > to my "Google Drive", which is the most protected place I'd choose. > > > > If the app I'm using stops being available, I don't currently a > > have a good recovery plan. What do you use to keep your TOTP > > data safe and sufficiently portable between "devices"? > > For Android I use "aegis", which allows exporting the TOTP data, so you > can save > the file anywhere. > > I save that file in my local linux box (and in a remote VPS), encrypted > with > gpg, and have a script which decrypts it and dumps the current TOTP codes > using > the "oathtool" program (debian: oathtool package). > > This way even if my phone is not available, I can still generate the TOTP > codes > using any standard linux box (or ssh'ing to that VPS). This is (to me) as > portable as it gets. > > Hope that helps! > > PS: in parallel to aegis I also save the TOTP data in my self-hosted > Bitwarden > (vaultwarden) instance. > > PPS: recent events have caused me to (re-)consider how to deal with me not > being > "available" and e.g. my wife having to take over the (large, > unfortunately) > number of accounts "protected" with 2FA/TOTP. It's a serious DoS issue > that > everyone should consider and plan for (IMHO anyway). > Yeah, and if you really want to roll your own, TOTP is a standard and widely available implementations, such as https://github.com/susam/mintotp/blob/main/mintotp.py And that PPS, yeah, the complexity of that is very challenging. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
