> TOTP is not much better than SMS-based 2FA. It's still vulnerable to phishing, local device malware (that attacks your TOTP in your password manager), etc. It's best to use hardware tokens everywhere that support them, and both Google and GitHub do. (And Google supports a special hardware token only mode which I wish more sites would adopt.)

Since this device doesn't actually have network connectivity he might have this problem potentially when someone is watching his watch with a camera, or if someone is able to do something in his close proximity, which means it absolutely is better than SMS-based 2FA and the phishing attack vector is different and if a person has access to him in close proximity anyway the cheap USB security doesn't offer anything(well not completely true, but almost) over this particular TOTP use case.

Security is kinda cool these days and everyone is a security expert, but just reiterating trained responses without actually thinking about the attack vectors is getting a bit annoying. It's as if it is cool to say the most secure use case people can think of without even considering what and who it is that is actually protected and from whom.

TOTP is really vulnerable to phishing. Hardware keys are the solution.

Yeah, sure, but then again a watch on your wrist is harder to take away than a hardware key on your physical keychain that you don't pay attention to.

EDIT: yes, lol, thank you for explaining what phishing is jgrahamc. We didn't know. I get that a lot of Americans and some Germans guard their car keys like an internal organ, but for a lot of people in the world a keychain is something you toss in an insecure place most of the time of the day.

Phishing doesn't require stealing the watch. It just requires me to type in a TOTP token on a phishing website. Very different threat model than physical access.

It may be easier to steal, but it should have some kind of minimal protection. It should lock out after a low number of failed pins, for example. The YubiKeys do this.

stealing watches is pretty trivial if you practice. but also TOTP is just more inconvenient than, say, the Microsoft authenticator with biometric confirm and server push, or a token you just press that's near your computer or phone. the fact that these can also help defeat phishing is just one more benefit.

Well if you want to look at specific attack vectors this one may have remote access issues based on what and where you store the source code. I'd guess OP knows what he's doing, but someone trying this with an accidentally open repo or comprised machine are possibly bigger risks here then with most other TOTP solutions.

Equally it has the hardware key flaw of being able to be physically stolen, but with no option of an additional lock, and more likely then most systems that you might leave the totp running so a camera exploit is a little easier then with an app maybe.

Not to say I think any of this is likely, and with the exception of a public repo mistake, it's probably a lot harder then an SMS exploit.

While I agree with your points regarding the security of TOTP / SMS, and I do push for hardware keys at work, I think a case could be made for a mixed use for "regular people".

Maintaining two hardware keys is an absolute PITA, especially if you go down the route of storing one off-site, hence not having it with you to enroll when you get a new account.

What I do, is use the hardware token as the "main" factor and use the TOTP if for some reason I don't have the token (I may sometimes forget it at home when I'm at my parents' house).

The point is that, since I usually have my key, if I'm presented with a Google or whatever prompt for a TOTP, I know something's fishy. I don't normally use that, so I'll investigate why that happens and won't just go ahead and type my code in there.

This needs to be repeated too. And developers need to be reminded that anything they secure with hardware keys absolutely needs to accept multiple hardware keys in order to mitigate loss or destruction of the first key.

Not so sure, for me I am going to forget to have the hardware device. I will probably lose it. I will forget to take it with me and then can't access things mobile. Or will take it out with me and lose it. Have enough stuff to keep track of! I would use hardware for some occasional use logins though.

Why is TOTP not much better than SMS? Someone can take over your phone contract to get those SMS messages by sweet talking your telco, but for TOTP they need to get hold of my device or get some malware onto my phone.

> TOTP is not much better than SMS-based 2FA. It's still vulnerable to phishing, local device malware (that attacks your TOTP in your password manager), etc.

It's still massively better than SMS-bases 2FA. Those vulnerabilities you list are all things that involve you or your device. You can take care to avoid them.

With SMS there are also vulnerabilities that don't involve you or your device, such as someone convincing your carrier to transfer your phone number to them.

SIM swap is real but rare, since it cannot be automated. It is also largely defeated by having a strong and unique password, assuming that your provider doesn’t use SMS as a single factor password reset option.

If you’ve got a strong and unique password then your primary concern should be phishing, which is the same for sms and totp.

> assuming that your provider doesn’t use SMS as a single factor password reset option.

That's a big assumption and one that is far from generally true.

Can you recommend any cheap USB security keys? I've looked in the past and cost has been prohibitive.

Cloudflare and Yubico are in partnership to provide YubiKeys at a discount:

https://www.cloudflare.com/products/zero-trust/phishing-resi...

Related thread: https://news.ycombinator.com/item?id=33020078

> Eligible customers must have an active zone or actively use Cloudflare Zero Trust.

US Google One users on a >=2TB plan should currently also have an offer for a free Titan key at https://one.google.com/benefits

I have a $50 yubikey nano plugged into each of my multiple-thousand-dollar computers, protecting my accounts containing/accessing client data worth millions.

If anything under $100 is too much to secure your account, just use SMS 2FA, or disable 2FA entirely.

Fwiw big players regularly give free keys to e.g. OSS maintainers. Dunno if it’s still active but Pypy has a program for maintainers of crates flagged as sensitive (or something like that), you can get two Titan keys courtesy of google.

I also have a pair of github-branded yubikeys from a long time ago but I don’t remember what that program was.

> cost has been prohibitive.

A titan is 35 or so, hardly prohibitive. And if you have access to anything important your company ought be glad to get you one or two, or yubis.

Have you looked into these? https://solokeys.com

I was a backer of the V2 and I think my order is now a year overdue. I don't really back things on kickstarter because I don't like to gamble, but this seemed like a sure bet. Turns out it wasn't.

Not them but I have stopped backing projects on Kickstarter, because I have been burned to the tune of $2,000+ (2016-17-ish currency conversion).

I got mine (and it randomly died so they sent me a second one). You still haven't received your first one? That sucks, they're generally very good devices (minus them randomly dying, I guess).

I got my solokeys v2. A bummer that they did not ship to some folks.

I like the yubico key that even has a pin code so if lost or stolen protects your TOTP codes

> which completely disables non-hardware 2FA

Does this make Google stop asking for my phone number?