• caglararli@hotmail.com
  • 05386281520

How am I meant to back up my second factors?

Çağlar Arlı      -    44 Views

How am I meant to back up my second factors?

I currently use MFA wherever possible. To do so, I mainly use the Google Authenticator app, as well as a YubiKey. However, I recently realized that backing these up is very, very difficult.

YubiKey

The YubiKey is used in two different modes - OTP and FIDO2. For OTP, a secret key was generated and has been backed up using a paper backup in multiple, physically distinct locations. It is very unlikely that all these locations will be compromised at the same time.

However, for FIDO2, the issue is that one key can't simply be "cloned" to another by design. Furthermore, I don't recall all sites on which I used my YubiKey as a second factor and ykman fido credentials list --pin ... returns an empty list.

Furthermore, authenticating with every single service and adding a new YubiKey really doesn't scale well with 20, 50, 100, 200 different services.

Is there a better strategy to prevent loss of access than to manually add a second (or third) YubiKey and just hope I didn't forget anything?

Google Authenticator

I've also recently tried to back up my Google Authenticator codes. While these can be exported and transferred to another device through QR codes, this really only works well when switching phones, i.e. when the initial phone is still around. The problem is that the "secrets" themselves can't be extracted easily, and that the app does not allow screenshots.

As a result, I can't "store" my authenticator secrets in a safe location (e.g. on an encrypted file) in case my phone breaks, gets stolen, gets teleported away during a resonance cascade, etc.

The best way I could find to "back up" my Google Authenticator keys is to photograph the screen of my phone with a second device, then store that photograph somewhere and "scan" the code again from a new device to import them again.

Is there a better strategy to prevent loss of access than to photograph a QR code?

In Summary

How can I effectively make backups of my MFA keys (TOTP, FIDO2) in a way that scales to tens, if not hundreds of services?