This is a good thing to think about. You can do the following:
Don’t store 2FA TOTP passcodes in your password manager, that makes it not 2FA.
Use Authy which has free backup of your TOTP codes encrypted client-side with a password; if you forget this password your TOTP codes will be irrevocably lost. Do not put this backup password in your password manager (for same reason as 1, makes it not 2FA), write it down on a physical piece of paper (or several) and put it some place in your home. Authy prompts you occasionally for this password which is a good way to test that you can get the piece of paper and put in the code correctly.
Buy at least two hardware U2F tokens (aka yubikeys, or get one from solo keys); most websites that offer TOTP U2F also support hardware U2F. So if you lose your TOTP codes but still have access to the hardware U2F tokens you should be able to access websites and remove/change the TOTP codes.
If you’re worried about losing or destroying your hardware U2F tokens, the only real solution is to use a cryptocurrency hardware wallet (yes yes I know, gross, whatever, improved private key management is cryptocurrency’s only positive contribution to the world) because those function as hardware U2F tokens but also let you physically write down a series of words on paper that will let you reconstitute the same hardware U2F key in a new crypto hardware wallet if all your hardware U2F tokens (including the wallet) get lost or destroyed. Store this paper in the same place you store your TOTP backup code.
If you’re really really worried about losing access to your crypto hardware wallet U2F key you can get a blockplate then use a centerpunch to encode your private key by making divots in an actual hunk of metal. Theoretically this will survive a fire.
Don’t store 2FA TOTP passcodes in your password manager, that makes it not 2FA.
Depends on your threat model, for most people password manager storage is fine because you’re still protected against the service getting owned and leaking your password.
If you’re worried about your phone being exploded tho you probably do have a threat model that precludes storing TOTP creds in your password manager.
I would say that putting TOTP seeds in your password manager also brings risk of unintentional lockout, because usually access to your password manager is gated by TOTP codes and if you lose access to your active TOTP codes and need to also use them to log into your password manager to get your backed-up TOTP seeds, you could be shit outta luck.
Generally you should always have multiple hardware U2F tokens in case you lose one. All sites that support hardware U2F should support registering multiple tokens for this reason. However some sites you can use TOTP as a backup for hardware U2F tokens and vice versa, so two tokens is not really necessary. But it depends.
Yubikeys are probably made in China but I don’t know any fully Chinese companies that sell them. The solo keys company is interesting because it’s all open source hardware & software.
No, the main thing separating hardware U2F tokens from crypto hardware wallets is that with hardware U2F tokens the key is totally baked into the token and can’t be exported, so it will be lost forever if the token is destroyed. Crypto hardware wallets are unique in that they let you export & import the key. Sorry I edited the post that you’re replying to a few times with extra details so you may not have read them.
This is a good thing to think about. You can do the following:
Replace authy with aegis which is open source and doesn’t tie you to any service and allows encrypted exports you can manage yourself
Good to know, I had not heard of it!
Depends on your threat model, for most people password manager storage is fine because you’re still protected against the service getting owned and leaking your password.
If you’re worried about your phone being exploded tho you probably do have a threat model that precludes storing TOTP creds in your password manager.
I would say that putting TOTP seeds in your password manager also brings risk of unintentional lockout, because usually access to your password manager is gated by TOTP codes and if you lose access to your active TOTP codes and need to also use them to log into your password manager to get your backed-up TOTP seeds, you could be shit outta luck.
Thanks!
Why two hardware keys? Do sites let you register more than one at the same time?
Are there any Chinese hardware key manufacturers?
I like the idea of archaeologists discovering my blockplate in 3,000 years like a modern-day Sumerian tablet.
Generally you should always have multiple hardware U2F tokens in case you lose one. All sites that support hardware U2F should support registering multiple tokens for this reason. However some sites you can use TOTP as a backup for hardware U2F tokens and vice versa, so two tokens is not really necessary. But it depends.
Yubikeys are probably made in China but I don’t know any fully Chinese companies that sell them. The solo keys company is interesting because it’s all open source hardware & software.
Oh—you mean you can make one key into a clone of another?
No, the main thing separating hardware U2F tokens from crypto hardware wallets is that with hardware U2F tokens the key is totally baked into the token and can’t be exported, so it will be lost forever if the token is destroyed. Crypto hardware wallets are unique in that they let you export & import the key. Sorry I edited the post that you’re replying to a few times with extra details so you may not have read them.