Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
nipponese 5 days ago

The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked.

themafia 5 days ago | parent | next [-]

> you're cooked.

I've lost 2FA codes. It's complicated but if you have a financial relationship with the vendor you're going to be able to get everything sorted out. I imagine as this happens more there will be common internal policies which aid customers in this situation.

You have to weigh the amount of potential hassle against the value of potential losses. Why you would have $100,000 of value stored somewhere and only secured by a loose-lipped third party app is beyond me.

traceroute66 5 days ago | parent | prev | next [-]

> The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked.

Most clued-up places enable you to register a Yubikey as 2FA.

So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.

(And those that don't allow Yubikey, almost certainly will have SMS as a secondary option).

jgilias 5 days ago | parent | next [-]

You really shouldn’t use SMS 2FA. SIM swapping does happen. This kind of depends on the jurisdiction though. In some countries operators won’t reassign the phone number willy-nilly.

Still, better to just not do SMS auth. These days Yubikeys are not that expensive. Get three, register them all at the most important places, and put one at a parents’ place or similar.

traceroute66 5 days ago | parent [-]

I agree entirely.

But the point I was making that IF the website does not allow Yubi THEN SMS is almost certainly available, and you should use that as a backup mechanism.

Why ? Some sort of backup mechanism is better than none at all.

ac29 4 days ago | parent | prev [-]

> Most clued-up places enable you to register a Yubikey as 2FA. So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.

And what happens if you lose your Yubikey or it stops working? You're back to needing backup codes or an additional 2FA device

traceroute66 4 days ago | parent [-]

> And what happens if you lose your Yubikey or it stops working?

That's why you own N+1 Yubikeys ;p

Any place that offers Yubikey auth will enable you to register multiple Yubikeys against your account.

In all my time on the internet I have only ever seen one place that allows Yubikeys but restricts you to one key.

Sayrus 5 days ago | parent | prev | next [-]

Which is why most apps with sync have two sets of credentials: one to login on the platform and one master password for encryption. That helps in those scenarios.

fortran77 5 days ago | parent | prev | next [-]

Yes. There are other ways of syncing (I have images of the setup QR codes save in an encrypted file) but most people wouldn’t be able to manage this.

jazzyjackson 5 days ago | parent | prev [-]

An alternative to syncing is to add the TOTP code on multiple devices, so that losing one device is not catastrophic.