Most people are more likely to lose authenticator tokens (their phone, their yubikey) than be hacked by a sophisticated attacker
Password manager 2FA and SMS 2FA solves the threat model that most people live in
(Organizational security has a far different threat model)
Hypolite Petovan
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Hypolite Petovan • •Oh, no - attacking SMS 2FA is easy to just SIM hijack
I am talking about getting locked out because you accidentally lost your auth app
Hypolite Petovan
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to Hypolite Petovan • •That's what I'm saying
You won't lose your phone number for SMS or password manager
Whereas losing a phone with an TOTP authenticator setup or losing a yubikey is pretty simple
Hypolite Petovan likes this.
Bob Jonkman
in reply to silverwizard • • •So far, every service for which I've registered TOTP (Twitter, Facebook, Mastodon) has offered recovery codes in case I lose my TOTP device. Surely that mitigates @silverwizard 's loss model.
@hypolite
Bob Jonkman
in reply to Bob Jonkman • • •And I keep my paasword manager DB on several devices. Does that make me as weird as @silverwizard ?
@hypolite
silverwizard
in reply to Bob Jonkman • •Hypolite Petovan
in reply to silverwizard • • •silverwizard
in reply to Hypolite Petovan • •Hypolite Petovan likes this.
silverwizard
in reply to Hypolite Petovan • •like this
Hypolite Petovan and Scifijunkie like this.
β w chance of bears
in reply to silverwizard • • •silverwizard likes this.
silverwizard
in reply to β w chance of bears • •Yeah, I just only have the option of Google TOTP which squicks me, or Yubico TOTP which needs a key, so uh, kinda fails the access test
But also - I am *far* more likely to lose a phone than by hit by SIM swapping (to be clear - only because I'm a dumbass)
β w chance of bears
in reply to silverwizard • • •Yeah, most of my TOTP tokens are mirrored across my Yubikeys largely to save headaches when changing phones. I have one on Entrust's app that I can't do that with and the couple of times I've had to move it were a pain finding the instructions again.
But using Yubico TOTP also basically primed me for "password manager TOTP is functionally the same as Google TOTP but with the convenience of device portability"
silverwizard likes this.
silverwizard
in reply to β w chance of bears • •Well, the issue most people have with password manager TOTP is that then if your password manager is compromised, then your password is
And the answer to that is "it's complicated" - but yeah - in a perfect world we'd all have two security keys, and one is kept in a secure location and one is kept in a wallet/keychain - but that's not feasible (says the man with that)
Hypolite Petovan
in reply to β w chance of bears • • •silverwizard likes this.