Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is similar to why enabling 2FA actually scared the heck out of me! I use a password manager to generate strong unique passwords, so I think the chances of someone getting in that way are incredibly low. But I can absolutely see myself loosing all of my 2FA keys some day in a freak accident.


Nowadays the password managers can store the 2fa secrets and generate the codes as needed.

It kind of defeats the purpose of the second factor -- the password manager becomes it -- but at least it makes the services that insist on it happy.


Nowadays 2FA are always about something you know and somebody that vouches for you (SMS, email, whatever). Nobody seems to do any version of it that relies on you alone. So a password manager won't improve its reliability.


You are supposed to store the recovery key(s) in a secure location. Then if you lose your 2FA device, you can reset your 2FA from those recovery keys.


What secure location? My sock drawer? Or am I expected to go buy a safety deposit box? I'm really not that organized and I loose slips of paper all the time, it's a major reason I was drawn to computers growing up.


I keep mine in a file in a drawer. My threat model doesn't cover people breaking in and finding them as well as knowing my password managers master password.


Sock drawer, wallet, locally on your computer, wherever. If the recovery keys are compromised, that really just downgrades your 2FA back to 1FA.


I’m not concerned about the keys being compromised, I’m concerned about loosing them, since the idea is they’re unneeded for many years and then suddenly become essential.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: