Paper backup through QR codes

[denilsonsa]

Some tools (like 1Password, or the 2FA recovery tools) have a printable page for recovery purposes. This is good because there is no risk of being hacked or leaking through any online cloud service.

Thus, what if Aegis could have a proper offline paper-based backup?

Current status

• Aegis can export an HTML page made of a tall and wide table with individual QR codes for each service. Although nice, it's very printer-unfriendly.
• Aegis can also export to Google Authenticator, by generating a sequence of QR codes.

Proposed solution

Aegis could export one HTML page so that:

• All the QR Codes suitable for Google Authenticator export/transfer are included.
• Additional QR codes for extra metadata specific to Aegis could also be included. (e.g. icon names, groups; but also Aegis settings)
  • Aegis could collaborate with other open-source 2FA tools (like AuthenticatorPro) to use a common format for the extra metadata.
• The layout of the page should be printer-friendly. Having a flexbox layout with each QR code as one flex item, with enough margin between each of the QR codes. This also means the real dimensions of the QR code can be dependent on the page width/height.
• The page should include instructions on how to import the data back into the app.
  • Possibly a QR code with the link to this repository, or to the Play Store, or to F-Droid, or some other useful landing page.
  • The QR codes should be scanned in order. Maybe the first QR code should be one with Aegis-specific information, so that Aegis will know it's reading an exported backup (as opposed to a plain Google Authenticator export).
  • Instructions could also explain which QR codes should be scanned into other apps (such Google Authenticator).
  • Instructions could suggest folding the paper, to make it easier to scan each QR code.

Complexity

I'm trying to keep the complexity relatively low, by reusing/adapting existing features:

• HTML page export because that's way easier to implement than a PDF export.
• HTML page export because there is already some code for embedding QR codes into a plain HTML page.
• Google Authenticator export because generating those QR codes is already implemented. And also because it's good for the user, letting them be free to import in whatever app they want.
• Multiple QR code scan already exists for Google Authenticator import. It needs to be extended to also import Aegis metadata.

Encryption (bonus!)

If you want to go extra mile, it's possible to implement encryption of the data, and leave an empty space at the printed page for the user to hand-write the encryption password. That increases security, but generates vendor lock-in (can't be imported into Google Authenticator-compatible apps anymore).

[scollovati]

I've created a script that does exactly this (plus a few extra things): https://github.com/scollovati/Aegis-decrypt

It's already working and tested. As a next step, I want that it outputs all QRCodes in a PDF file for easing the process of a paper backup.

[denilsonsa]

As a next step, I want that it outputs all QRCodes in a PDF file for easing the process of a paper backup.

@scollovati I see you already generate an SVG image for each QR code. It should be trivial to add them all together into a single HTML page (which can be printed). Thus, for simplicity, I suggest you exporting as HTML instead of PDF. You can certainly get it ready very quickly in HTML, and it's easy to tweak the layout and the instructions. PDFs are more annoying to build (and require extra dependencies).

[bad-co-de]

The optional encryption can also protect against a compromised network (when using a network printer) or a compromised printer.