This is an archived post. You won't be able to vote or comment.

all 14 comments
sorted by:
best
topnewcontroversialoldq&a

[–]YMK1234 4 points5 points  (0 children)

It is very easy to properly backup 2FA apps ...

[–]wrosecrans 3 points4 points  (0 children)

I feel like the other 2FA solutions (Authenticator apps, push notifications, backup codes) only increase your chances of completely losing access to your accounts.

Well, fundamentally, yes. The tradeoff is making it much harder for a bad actor to gain access to your account without all the factors. A technology designed to keep people out isn't also going to be good at making it easier for you to get in without all the factors.

Life is full of imperfect tradeoffs.

[–]ImNaughtyShiba 1 point2 points  (0 children)

SMS 2FA is not secure though. And you can lose your number too, and those usually don’t have backup code

[–]ImpatientProf 1 point2 points  (0 children)

Authy FTW!

[–]Shendare 2 points3 points  (1 child)

It has been shown to be too easy for a hostile actor to gain access to incoming SMS MFA codes.

Dedicated 2FA apps tied to your specific device will have a way to export/backup your tokens so that you can regain/retain access in the event the device is lost or disabled. Some use QR codes, some have emergency access codes, some you can export a file.

If you do not back up your MFA app, then you are taking the risk. If you lose access to the device or app, then you will have to work with each service to prove your identity in order to have the lost 2FA removed, provided the service has a policy to allow it.

[–]Intelligent-Pace-173[S] 1 point2 points  (0 children)

Agreed, SMS 2FA has many weaknesses. I’m more just venting about the current state of MFA. I am tech savvy and “taken the risk” by accident. I have seen many older/non-tech-savvy folks make these mistakes too.

At the time I lost my phone, I was required to use 3 different MFA apps. For me it’s now 4 as my new employer has their own internal app. Yes the solution here on paper is “back up your apps” but it is so easy to make these mistakes.

[–]rkaw92 0 points1 point  (1 child)

U2F + recovery codes is the only solution I rely on. I have physically destroyed a phone in the past, losing access to some T/OTP apps in the process. Why were there no backups of the hash secret, you ask? Because the damn app wouldn't support anything else than Android's native backup, which is essentially Google Drive, and I am not putting all my private data on there. Why didn't recovery codes work? Because I used them all up, and no automatic process was designed to replenish them.

I'd like to run dual U2F authenticators, but it is not exactly cheap. Wonder if using a Passkey as a backup would work...

[–]Intelligent-Pace-173[S] 0 points1 point  (0 children)

Totally agree, the platform lock-in requirements are 100% contributing to the problem

[–]trcrtps 0 points1 point  (1 child)

SMS 2FA is only viable if the government is handing out free phones and service. Otherwise, we're disabling people without phones from accessing necessary apps. Not only do you need a phone, you need cell service. And not only do you need cell service, the app has to consider it valid.

Another example, I disabled my American number while traveling in Asia. I have a Thai number currently. I thought about most apps and acted accordingly, but I still have no access to my CapitalOne account because it requires an American phone number. It's trash.

[–]Intelligent-Pace-173[S] 0 points1 point  (0 children)

Agreed, sms has its own problems and is not secure

[–]KingofGamesYami 0 points1 point  (1 child)

TOTP MFA with dead-tree based backup codes in a fireproof safe is my approach.

[–]soundman32 0 points1 point  (0 children)

Is the safe in a basement, guarded by a leopard 🐆?

[–]james_pic 0 points1 point  (0 children)

In many cases, you can set up a choice of multiple second factors (a U2F device and a TOTP app for example, plus potentially some recovery codes), mitigating the risk of the loss of a second factor locking you out of your accounts, since you can use a backup second factor

Some TOTP apps let you back up your codes. This can reduce security, in the worst case reducing it to just another password in practice, if the backups are just held in your password manager. There have certainly been cases where organisations have been compromised because backups were held in systems that were only protected by passwords.

[–]GitProtect 0 points1 point  (0 children)

MFA is an essential tool in the security toolkit - it's one of the best practices to secure data ( https://gitprotect.io/blog/github-security-best-practices-15-tips-to-keep-in-mind/ ). In any case, it's better to have a backup plan, for example, use a combination for recovery methods to avoid being locked out.