Return to Level1Techs.com

Best 2Factor Practices?

Currently looking into setting up a lockdown device for 2factor, and possibly cold storage for passwords and things.

What would be the best route to do this?
What are your fave auth apps?
Would saving this stuff on a specific machine work?
Laptop or a phone?

I will later probably buy a yubikey and not think about this sorta stuff ever again, but atm I have a netbook that could work for this, an android 2.2.3 phone doing nothing, and another phone that I am going to make into a wallet storage box, for the most part that runs android 7. Technically 2 that run 7, but the other one runs a russian rom and I don’t trust it with much more than my podcast player.

Thanks for any recommendations.

Best practices are getting a standalone device like the Yubikey or similar device.

The fact that they’re powered off when not in use and don’t have radios is a big part of why they’re more secure.

They’re also fairly cheap if all you care about is basic 2FA.

With OpenSSH’s latest release adding support for FIDO as well, I think it’s here to stay. I’ve started switching over from OTP-based auth, and suggesting privacy-aware friends pull the trigger on the devices, too.

2 Likes

I will also add that the FIDO2 standard that Yubukeys use is being pushed by Microsoft and Google for password-less login for just about everything. This includes Windows login, the webauthn for password-less authentication to websites and more.

Keep in mind that authentication is based on 1 or more of 3 concepts, what you know, what you are, and what you have. Each of them has something that it does better than others and each has significant drawbacks which is why 2FA is really a big deal and should always use different concepts. For instance using a locally stored password manager on a phone that also runs your authenticator app would be duplicating “what you have”, but if that password manager is configured to require you to enter a password that you don’t have stored anywhere then you are using “what you have” and “what you know”

All of that being said the whole “What you are” part which would be biometrics I would tend to stay way from for now since at least on the consumer side of things they have been very questionable as far as the actual security they provide.

3 Likes

I use Aegis for 2FA on my Android phone. The UI is nice, and you can use a password/fingerprint to unlock the codes. You can also import/export the key database if you change to a different app. It’s on F-Droid, but you need 4.4 or later to run it so that rules out the one phone. (I don’t thing 2FA was common back in the stone age before KitKat, so I’m not sure if you’ll find any apps that will run on 2.2.3.)

I wouldn’t want to put 2FA on my laptop, since I don’t always have it on me. Especially when I have to sign in to google docs on a school computer or something—I’m usually doing that because I don’t have my laptop on me. I also don’t think there are very many choices for applications, but I’m not positive about that.

A physical device (yubikey etc) is probably even better, but 2FA of any kind is definitely better than nothing.

This isn’t really a factor for me to be honest, but a good thing to keep in mind. When or when won’t I have the device available.

Yeah, not having the device on-hand is equivalent to forgetting your password. The other thing is that, if you don’t use a password manager, you’ll need to start, since you always get a recovery key to use if you lose access to the 2FA device. Putting the recovery keys in the same database as your passwords might defeat the purpose a little, but that’s a separate discussion. If something happens to whatever phone/laptop you use, you’ll get locked out of everything without the keys.

there’s u2f, it’s the standard thing lots of things support, including SSH as of very recently:

https://marc.info/?l=openssh-unix-dev&m=158166329402795&w=2

You can also use some of the usb keys to store gpg and ssh keys/certs.

Software / OS / “keychain software?” support can be quirky sometimes. The most common gripe everyone has is with support for multiple key devices. For example, you might have a key permanently attached to your computer to use for passwordless auth in your day to day stuff (e.g. to require an arm move and a touch when you actually want to use a key, and not leave your keys loaded and your keychain unlocked all the time), . and then you have a second one to use for signing important new releases of software millions of people will download and install automatically next time they update, or to access your bank. Good luck with that… many people have this problem, I’m sure it’ll get resolved at some point.

Stationary or mobile?

If it is to be “stationary” then some old PC / laptop / SBC without access to the network and even Win XP (because why not) Encrypted veracrypt hdd. Winauth to 2fa and KeePass for password database.
Passwords in the head, files keys on a USB media.
173041515a94977ab986715cc71a5af4c10aa5e4_2_617x550

4d9dc0550eabef4bf9cd742f1aa7eaab902486e7_2_720x540

Or something like @wendell did, only more tuned under 2fa …

2 Likes