Open shivangc22 opened 9 months ago
Red6785
commented
4 months ago I would reccomend against doing that. The point of the recovery codes is to help you recover your account if you lost access to your authenticator. If you lost your authenticator, and stored your recovery tokens in your authenticator, you're in for a world of hurt. The idea is alright, but I don't really know what else one would want to store besides the recovery codes.
the-code-creator
commented
4 days ago @jamie-mh Hello Jamie, please add an extra notes textbox to Stratum like Aegis offers. It's so useful to store additional account information like backup codes.πΈπ Thank you for all the amazing work you put into Stratum β in my opinion, it is one of the best 2FA apps that exists on the π!π»
@shivangc22 For the time being, until a dedicated notes textbox is added, you can use the username field as a notes textbox to store any information (for example, recovery codes), write the username of the account in the "Issuer" field instead, and configure in the settings that the "Show usernames" option is disabled, so that the recovery codes aren't always visible.π‘
@Red6785 Storing recovery codes in the authenticator app is convenient, reliable and secure if you enable automatic encrypted backups and synchronize them to other devices like your computers, tablets, or phones with, for example, Syncthing (one of the most popular open-source encrypted file synchronization software), and store the password for the encrypted backups on a piece of paper in your safe.
This way you are not decreasing your security by storing the 2FA info in an additional place (like your password manager), which could be hacked or leaked.
Storing the 2FA secret keys or 2FA backup codes in your password manager is reducing the effectiveness and security of 2FA considerably and also is putting all your eggs in one basket β if your password manager is breached, then the attacker has access to all of your accounts, even the ones where 2FA is configured! This can easily be avoided, and one's security improved.
I always save my 2FA backup codes in my authenticator apps for the very unlikely event that a website I enabled 2FA on does not accept my 2FA TOTP code even though it is the correct one. Then I can use a 2FA backup code and still access my account β this has never happened to me before, but better safe than sorry!
If you lose your phone with the authenticator app on it, you can easily restore the 2FA backup file on another phone with the password stored in your safe. And if your house burns down or gets flooded, you have access to your 2FA data if you carry your phone with you.
Now it would suck if your house got destroyed, including your safe, and additionally you lost your phone. This very unlikely but possible scenario can also be prevented by synchronizing your KeePass (open-source password manager) database and authenticator backup files with devices from another person you can fully trust and them storing the password for both your database and 2FA backup files on a piece of paper in their safe or (my preferred method) one half of the password in their authenticator app and the other half in their password manager for extra security β more on that topic later. Even if their house gets destroyed too, they still have access to everything on their phone. After all the chaos, the person can simply provide you with your KeePass database, 2FA backup files, and passwords, and you retain access to all of your accounts and data!β
When I was looking into using 2FA authenticators for the first time, I was worried about the reliability of the backup restoration if I lost my phone. It could happen that I lose my phone and restoring the backup file doesn't work for whatever reason, for example because of a bug that caused the backup files to be created corrupted. Then I would lose access to almost all of my accounts configured with 2FA!
To prevent this scary and disastrous scenario, I have decided since my beginning of using an authenticator app that I don't put all my 2FA eggs in one basket and instead always use two authenticator apps at the same time: I use both Authenticator Pro/Stratum (still need to switch xD) and Aegis Authenticator simultaneously and save all my data in both apps. This way, even if I lose my phone and the backup files aren't recoverable and I'm unable to extract the data, I can just simply use the second authenticator app and still have access to all my data and accounts!
I would encourage everyone to not put all their 2FA eggs in one basket and always use two 2FA apps simultaneously β it doesn't take much longer to also scan the 2FA QR codes with a second app, and this can prevent catastrophic data and account access loss!β
What's very smart is if you store one half of an account recovery code (which grants you access to an account without a password and without 2FA) in the authenticator app and the other half in the password manager (KeePass). This way, a hacker/attacker who wants to gain access to one of your accounts needs to gain access to both your password manager and also your phone and somehow go into the authenticator app even though it's locked with biometric authentication/password.
This is a lot safer than storing account recovery codes just inside your password manager, because then access to your authenticator app isn't required to gain access to the accounts β you're putting all your eggs in one basket!
For securely saving answers for account security questions, this strategy also works great!
Be sure to use long, complex passwords instead of real answers so that the answers can't be guessed or researched, which could enable a bad actor to gain access to your account without the password and even when 2FA is enabled!
Furthermore, an extra notes textbox in authenticator apps can be used to store half of a password. Let me explain: If an important website, where very valuable/sensitive data is stored, doesn't offer 2FA at all (like Spotify! wtf!), then you can create your own 2FA solution by storing one half of your password in your password manager and the other half in your Authenticator apps. This way, even if your password manager is breached, the attacker still cannot access your account.β
Additionally, you can split sensitive data like credit card numbers between your password manager and authenticator apps so that even if your password manager is breached, the sensitive data can't be used and no damage happens!
Use two authenticator apps simultaneously.
Don't add usernames to your 2FA entries in your authenticator apps and just add the website names, so that even if your 2FA data is leaked and compromised, the 2FA data can't be associated with your accounts and thus no accounts breached.
Don't put 2FA secret keys and 2FA backup codes in your password manager β put them in your authenticator apps instead.
For answers to account security questions, use long, complex passwords instead of real answers, so that the answers can't be guessed or researched!
Split answers to security questions, account recovery codes, and sensitive data like credit card info in two and store one half in your password manager and the other half in your authenticator apps to boost your security.
Write down the long and complex master password that encrypts your password manager and authenticator apps in addition to the password that encrypts your 2FA backups on a piece of paper and store it in your safe so that even if you lose your phone, you can still access everything! For increased security: Write down only half of your authenticator app passwords on the paper and save the other half in your password manager, so that even if someone breaks into your house and your safe, they only have half of the password and can't use it to decrypt your 2FA backup files, which are stored on a device at home!
Enable biometric authentication for your authenticator apps and password manager on all your devices so that you retain access even without the password.
Save the master password for your password manager inside your password manager itself.
This does not decrease the security because someone would need to already have access to your password manager to see the password. This ensures that you don't lose your master password in the event that your house and safe get destroyed.
Furthermore, the following scenario doesn't turn into an issue:
You own a phone and a laptop.
After a restart of your laptop, your KeePass database gets locked again, and you need to enter the password.
If you are not at home and can't access the database password in your safe, then you would be unable to unlock your database on your laptop! But because you have the database password saved in the database itself, you can just quickly open your database on your phone with biometric authentication and view the password without any issues!
This also works the other way around, of course: If for whatever reason your database on your phone gets locked and biometric authentication isn't possible for unlocking (which should almost never happen), then you can simply view the password inside KeePass on your laptop.
Enable device encryption/full disk encryption for all phones and computers (on Windows, use BitLocker with TPM AND PIN for maximum security!) so that even if a robber is able to break into your house and your safe, they can't access your password manager and decrypt your 2FA backup files that are synchronized and stored, for example, on your desktop PC at home, which results in the robber being able to gain access to all of your accounts! For increased security, split the encryption keys/passwords in half and store one half in your password manager and the other half in your authenticator apps.
Many reasons are provided in this video: Just use KeePass.
The only Android 2FA authenticators that I have found that meet all these criteria are Aegis Authenticator and Stratum.
KeePass gives you the option that your database is also encrypted with a "Key File" in addition to your master password. This increases the security of the encryption. When opening your database, you need to enter your master password and also simply select the location of the Key file.
On the KeePassXC website, Key Files are explained in detail.
"You can basically use any file you want as a key file, but it is of utmost importance that a) the file never changes and b) it actually contains unpredictable data. If the file changes, it is as if you forgot your password and you will lose access to your database."
What I recommend is to use, for example, the Windows app Paint and draw a random picture β it doesn't need to be pretty! xD
Save the file with a random generic name like "drawing I made.png" in a folder you can remember. Then, using a cable (or USB stick), copy the file onto all your devices where you want to use KeePass and save it in a location you can remember. Don't save it in the same folder where your KeePass database is stored, because this makes it obvious that it's the Key File to unlock your database.
KeePass gives you the option to remember the location of the key file, but I recommend not using this feature so it's way harder for a bad actor to find the key file and unlock your database.π‘
Here is a useful tutorial that includes setting up KeePassXC and configuring Syncthing settings.
Disclaimers:
The configuration of the Syncthing settings is well explained, though.ππ½
Here is another useful tutorial specifically about setting up Syncthing Tray.
To enable backups of older KeePass database versions with Syncthing, go to the settings for your folders that you're syncing between your devices, select under the menu "File Versioning" the option "Simple File Versioning" and at "Keep Versions" select something like 100. This means that 100 older versions of your KeePass database are kept stored on your device, and older versions are automatically deleted to save storage space.ππ½
Syncthing offers the ability to have different folder settings on every device. I recommend enabling file versioning on every device to have backups on every device.
I can also recommend you AlternativeTo.net, which is a crowd-sourced and free site that helps you find better apps and services according to your needs, for example, finding your preferred KeePass client. Under "License" you can filter software by "Open Source" and also select your preferred platforms.ππ½
After starting to write my comment, I couldn't stop... xD As you might have noticed, I'm very passionate about online security and privacy.π
Request to add an extra details (text only) option for each 2fa entry.
My specific use case would be to store the recovery codes alongside the 2fa codes, but .it can also be used to store other information