Store your TOTP seeds on a Yubikey
TOTP is a very common method that websites
implement to provide a second authentication factor, and very often, it is recommended to use the proprietary Google
Authenticatorâ„¢ app on your
Android phone. For years, I've been using the great andOTP app available in
F-droid as a FOSS alternative, since I don't have access to the Play Store.
And yes, I know of Aurora Store, but I see it only as a workaround for
people with no Google account, rather than a true solution to Google's hegemony in the smartphone world.
In any case, the main problem with this application-based solution is well-known: a smartphone breaks easily.
I've been carrying mine since 2017, which is quite a long time for such a device, and it's now starting to fall apart,
with the screen already cracked, a battery time that I can't rely on, and a protective case in a disastrous
condition, that I find pretty pointless to replace given the state of the phone.
Long story short, my phone second authentication factor can die anytime, leaving me in a state where I can only use
my Yubikey on the websites I could activate it on, and no other
solution than the recovery codes for the rest. This is pretty bad, and I
wonder how
people who don't have Yubikey-like solutions do when they drop their phone from a bit too high...
Solutions to that are multiple:
The last solution is moreover very easy to set up, thanks to Yubico's nice work:
Both software are cross-platform, easy to install, packaged in most distributions, and their UI is pretty straightforward. They allow me set a password to protect the access to the codes (a Yubikey can still get stolen!), and I've yet to find the limit to the number of seeds I can store (currently 19!).
Another nice use-case for this, is to provide a TOTP-protected OpenVPN access to some people without the complexity of PAM-based or PIV-based solutions. OPNsense makes that server configuration very easy.
As a good friend reminded me, super top-notch TOTP becomes very less useful when you already have strong and unique
passwords everywhere through a password-manager. So go use one! There
are plenty
available!
Still, 2FA doesn't hurt, particularly when you are the one enforcing it from an admin perspective: even if you generate
strong and unique passwords for your users, you can't rely on them for keeping them safe indefinitely. Having their
access protected both by something they know and something they own is a welcome peace of mind for me.
Also, for some very important accounts, I'd say better safe than sorry, and I personally don't mind the extra security step.