I use the technique of taping a microsd card with copies of my passport, credit cards, 2fa backup codes, etc, encrypted; along with a $100 to the bottom of my insole inside my shoe. Put them in a little "crack sized" ziplock, add lots of gaffers tape (so if you take the insole out it's not obvious, plus makes it a bit waterproof) and if I ever get mugged, I have enough cash to get a cab (or depending on where I am, pay a bribe) and then find a computer I can use to get my info and figure out next steps.
Normally carry a yubikey with me (2, in fact, one on me, one in my big bag at my hostel / hotel). But if I get mugged between airport - hostel, then at least I have the shoe backup.
A 3rd level is that my parents have a yubikey and 2fa backup codes for me. They dont have my passwords, but in a pinch, I can call them to read me a code.
Not my idea. You can have a lawyer that has access to all your passwords, and designate a list of trusted people that can access them in an emergency.
If something happens, your friend calls the lawyer. The lawyer calls the other friends and if enough concur releases your passwords.
Depending on how technical you and your inner circle is you can even have whatever secret the lawyer holds encrypted and a key preshared with your friends so that the lawyer cant use it or the secret is irrelevant if it leaks.
This is of course more relevant in a you drop of the face of the earth, or you are wrongfully or rightly arrested kind of scenario.
Keep an eye on FRAM storage devices. Currently you can buy a USB stick with 8 KB of storage, but that storage is designed to last 200 years (and should at least survive a few decades). You can even recover the data off it with a soldering iron and a steady hand if needed. Would be a neat solution for keeping a backup code in a safe long term (maybe once the price drops to be competitive with a laminated sheet of paper)
Not GP, but my solution is to just not use 2FA if I can at all avoid it. After all, 2FA is 99% security theater anyway (if you have a randomly generated unguessable password in a decent password manager).
Very true. I would love to get an YubiKey. But if I set up everything with this and I lose it abroad, then I am f... Could get two and have one FedExed to me if SHTF, but I think I pass.
Even if you have unguessable passwords, the services typically have a way to reset that password. So if the attacker gain access to your email they could do a lot of damage.
3rd Typically most services will allow you to reset your 2fa if you have access to your email or phone or whatever. Because you know people lose their 2fa.
You didn't expect a forum full of obsessive technology nerds to see through the nonsense cargo cult that is 2FA?
tl;dr: You only need a strong, well-kept password or 2FA. Doing both has extremely marginal security benefits.
Remember that 2FA happened like this:
- everybody's password is hunter2
- people's accounts get hacked left and right
- people contact support, this costs the company lots of money
- so company tries "strong password" rules
- people forget their strong passwords
- people contact support, this costs the company lots of money
- company enforces 2FA
- fewer people contact support
- less support work, company saves money
Now, none of these problems apply to people who always use random strong passwords and store them in a decent password manager. I'm not saying 2FA makes no sense from a business perspective, it totally does. Moves the hassles from the business to the user (and locks out poor people without phones trying to log in from a library computer, but they were never going to be generating a lot of revenue anyway so who cares right?).
But if you're not using "hunter2" and not forgetting your password, the extra security 2FA gives you is against nation-state level hackery only. An attacker would have to either MITM your https traffic or hack into your password manager vault. But if they can MITM your https traffic, they can capture your 2FA OTP as well when you fill it in, so you're already screwed.
This leaves someone hacking my password manager. But 2FA has recovery keys, for when you lose your phone/authenticator. If an attacker have this key, they don't need the second factor. So then it all boils down to:
- do I dare print out my recovery keys, put them in a drawer, not lose them in a move or a fire, not urgently need them while away from home?
- or would I rather put the recovery keys right there in the password manager, meaning I can access them when needed but when someone hacks my password manager, they can hack my life?
If you're in camp 2, like I am, 2FA adds no value. If you're in camp 1, 2FA can protect you against people hacking your password manager (but against nothing else).
I don't believe anybody, barring the extremely paranoid (for good or bad reasons), actually prints out their recovery keys. Ergo everybody's in camp 2 or worse (eg put the recovery keys in your dropbox). Ergo, if you use a password manager with strong passwords, 2FA is 99% theater. The 1% is for the printer+drawer people.
I use 1Password as my 2FA app. They have a recovery kit you can print out and store in safe places, or if you have a device that you've previously set up, you can authenticate to your vault.
How do you deal with 2FA? Do you memorize a few of your backup codes?