Eating My 2FA Dog Food and Making it Taste Good
Disclaimer: I do not represent any organization .I am not promoting nor name shaming any products. All are my own groggy opinions after several nights without sleep.
Second Factor Authentication (2FA) for the win!!!
I’m a security software engineer. I preach using 2fa to my developer friends and families all day long. There is no argument about having 2fa to secure your accounts — it is effective at lowering the risk of having your account taken over by a malicious actor. Period. But that doesn’t mean it don’t come with a cost.
I possess around forty 2fa tokens for both personal and work usage — and a mix of hard and soft token form factors. The tipping point for me was when my Authy account failed to back up and sync across all my devices and my tokens are out of sync during some account reset and refresh. According to the documentations, I had to delete everything from my devices, log out, and re-sync them. I cried internally as I had a huge list of work accounts mixed with my personal tokens under my belt. I spent an entire week and many sleepless nights worrying and thinking about managing my 2fa tokens more efficiently because I do not want to lose them. I hope this will help people who faces the same issue have some clarify.
In short, my issue was not managing my huge collection of personal and work 2fa tokens until I worried about losing them. My solution was to store my personal 2fa tokens in (Krypton) Krypt.co and copy an offline back up in Yubikeys + Yubico Authenticator. My work 2fa tokens are stored in Microsoft Authenticator + Authy.
My inclination was to split work and personal 2fa tokens into two logical, separate accounts or services. Through my limited research, no such single app or service allows a user to select or toggle between profiles (to manage 2fa tokens) yet. Please let me know if there is such a service. I know LastPass has “identities” feature to toggle between identities to view and edit your password items scoped to that particular identity.
But how? and why? These are some of my considerations
COST
Lucky for us, most personal use 2fa apps/services are free and that makes calculating cost straightforward! Enterprise versions are a totally different story. The apps I chose to store my personal 2fa tokens are free to use.
RISK
- I should not be storing 2fa secret keys in the same password provider (for me it was LastPass) as that would be putting all eggs in a basket;
if LastPass were to be breached, there goes my life - Strong encryption with offline (local) storage is the best
- App or service has to be backed by a well-reputable company;
avoid phishy (fishy) apps that was developed by unknown authors
CONVENIENCE
- Ability to sign in with push-to-approve
- Ability to transport, back up and restore 2fa secret keys easily
- Ability to integrate with CLI (for software development)
- Multiple devices would be awesome (but also increases risk!);
the feature for multiple devices is does usually require your secret keys to be stored in the cloud to sync up, which increases your risk that you have to trust the cloud to keep your secret keys safe.
Note: You will have to find your balance between risk and convenience. Sometimes you just cannot have both but try to be creative.
Pro Tip: Apple devices can copy and paste across to other Apple devices with Universal Clipboard
This is really convenient as I can copy the 6 digit TOTP from my iPhone and paste (CMD+V) it directly into my MacBook’s browser.
I have about 15 personal 2fa tokens and 20–30 work 2fa tokens. The easiest way out for me is to move the least number of tokens out of the existing mess. So I chose to only move my personal ones out of Authy while minimizing the effort needed for work 2fa tokens. (Hey, I ain’t got time to do this migration shiz again.)
Since I already have all of my work 2fa tokens in Microsoft Authenticator (integrated with work SSO) and Authy, I chose to keep them there as is. Microsoft is supposedly “enterprise approved” too, so why not?
I chose Krypt.co to store my secret keys locally and it can also export secret keys. Then, I periodically import them to Yubikey as my offline storage for backup.
I love that Krypt.co has push-to-approve sign ins for common platforms like Github, Google and Facebook which is a huge win for me. In addition, it also has some cool CLI integration that I have YET to try out, but I see some potential for engineers like me who require SSH credentials with 2fa (with the implementation of all the latest tech buzzwords like DevSecOps, Zero Trust, SRE, etc.)
My thought for Organizations
Organizations should issue hardware tokens, keys or a separate device to manage 2fa tokens for employees and not rely on them to effectively manage their 2fa tokens — some people cannot even manage their 1fa (passwords) for nuts to begin with. Usability is key. No user — no ability.
Feel free to drop me a comment!
