| ▲ | Careless engineer stored recovery codes in plaintext, got whole org pwned(theregister.com) | |||||||||||||
| 5 points by Bender 13 hours ago | 4 comments | ||||||||||||||
| ▲ | theamk 11 hours ago | parent | next [-] | |||||||||||||
The backup security codes useful, but awkward and I don't know how to handle them securely. Keep in a text file? Malware might find that file apparently. Also it might get uploaded to backup etc.. Keep in a password manager? But my main password (nice and strong) is already there, so putting both in the same place would defeat the whole "2 factor" thing. Take a picture with a phone? This may be uploaded to the cloud automatically, and thus become accessible to attacker. Also those recovery codes are only needed if main MFA (a phone) is dead. So far I think the best way might be to print them out (being careful not to save file) and put in the wallet. Let's just hope the copies are not left in the spooler dir or in swapfile... Another option is to maintain 2nd password manager just for the recovery codes, but in this case it won't be used often, so there is a good chance I might forget the passphrase... | ||||||||||||||
| ||||||||||||||
| ▲ | benoau 12 hours ago | parent | prev [-] | |||||||||||||
Genuinely surprised this doesn't happen more often and not just from developers. | ||||||||||||||