Closed andydonzelli closed 2 years ago
I'm happy to open a PR and make the change. First I wanted to see if others agreed with my concerns about this suggestion.
Fully agreed, they should be stored separately. If you submit a PR, I will get it approved :)
Thoughts on the ideal place they should be stored? Probably on paper somewhere secure, or within an encrypted file/ container.
IMO, paper should be the go-to recommendation for backup codes; they need to be physically, and literally, airgapped.
By their nature of being "backup" codes, chances are you aren't going to touch them, so they don't need to be stored in "hot" storage (i.e. digitally) for the benefit of fast/easy retrieval.
State which point should be edited or removed.
We should remove the suggestion that Backup Codes should be stored in a Password Manager. This suggestion appears in two places:
Justification
Backup Codes should not be stored in a Password Manager because the entire purpose of a 2FA code (including back-up codes, which are simply long-living 2FA codes) is that they exist separately from your passwords. 2FA is effective because even if an attacker gets access to your passwords, they additionally need physical access to something else in order to access your account. However, by putting Backup Codes in your Password Manager you are totally violating this primary purpose of 2FA.