When I had 2FA enabled, using Google Authenticator, and had to reset my phone, I was locked out of AWS. No backup codes. No texting. Nothing. Had to send in a ticket and get a callback.
And this is also what makes Authy a terrible 2FA tool no one should use ever.
It stores your secrets in plain text on the phone without any secure enclave. If your backup password is sniffed or there is a flaw in Authy or your mobile OS sandboxing fails you are toast.
Use the Yubico Authenticator app. The main difference is the (secured) storaged of the shared secret. With Google Authenticator, your keys are stored on the phone.
With Yubico's authenticator, you store the secrets ontp your Yubikey. This means you can reset your phone and still be able to use the same TOTP shared secrets. Or if that matters, ask a friend to install the app and use your Yubikeys to get the TOTP.
Are you sure about that? My AWS 2FA authenticator code has been out of sync for a while and they offer multiple options to get around it. I've been receiving SMS codes easily, in fact I just did this a couple days ago. IIRC they also offered to call me.
Did you flip some bit somewhere to disallow this? Do you have a phone number set up?
Yep, it was a couple years ago. They ask questions, then disabled 2FA so I could just get in with a password, and re-enable 2FA. No options around it. So possibly they've improved the process since then.
Storing password + TOTP together does leave you vulnerable if your vault is stolen/broken into, but I've gone all-in on storing them in 1Password because that's a trade off I'm willing to make.
I used to do this. Then I realized I stored the backup codes in 1Password anyways which are as good as using a TOTP. So instead of investing in another safe place to store the backup codes I decided just to go all in with TOTP in 1Password.
If my 1Password vault is breached, I am pretty much in a world of trouble as it is.
Just don't store your email password in your vault. You could probably quickly regain control of most online services if you retain control of the email you used to sign up.
Not me. I had the TOTP factors in my password manager for a while, and boy was it nice, but eventually I decided that was a risk I wasn't willing to take. I feel safer knowing that they have to beak into at least two different apps.
I use Authy to manage my 2FA codes, but I rarely ever use the desktop app. I stick to my phone to keep a physical separation between my logins and my 2FA app.
I also started storing my backup codes as a base64 encoded gpg password encrypted text file in my password manager. If I ever lose my 2FA codes I can still get into my accounts in a emergency while also protecting myself from a password manager hack.
It's annoying, but as I said, I'm not willing to take the risk.
It's a tough call to make, isn't it? I just figured if they get into 1Password, I'm probably dealing with someone highly sophisticated and didn't stand a chance to begin with. I don't know yet. I might stick keeping them on some physical device.
There’s zero authentication on the Google Authenticator app and it loses all it’s data every phone upgrade. That’s basically what everyone uses.
If someone gets into your 1Password it’s all over anyway.
That said, I pay for the standalone app and store my vault myself. I have no actual reason not to trust AgileBits hosting it, but they must be a huge target and I’m not taking my chances.
