Should I a use Yubikey for my 2FA back up method

Zaka7
Zaka7
Community Member

Apologies as this isn't explicitly a 1Password question, but as a tech savy and clearly security conscious community I thought it the best place to post.

I know the advice for 2FA is that SMS is better than nothing, but that it isn't ideal and you should use something like 1 Password to store time related tokens, Which i do.

Whilst I do have a few accounts I use SMS as 2FA because they do not offer anything additional to this, The advice I am after is what to do in the situation where a service DOES offer the time restricted one time password. Would you still have SMS as a back up as technically this leaves the door open, but then having no back up could cause issues?

What do you guys all do / recommend? obviously personal opinions only, I fully appreciate there won't be a 1Password response to this.

Would you have:
A - One time password only - No back up
B - One time password and SMS back up
C - One time password and Yubikey back up (I don't fully understand Yubikey and if it can even be a recovery method, as I wouldn't really want to use it as the primary 2fa method)

Thanks in advance.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • XIII
    XIII
    Community Member

    D - TOTP and a backup of the initial seed, so that I can recreate it in any 2FA App (on any device), if needed.

  • One thing to keep in mind, @Zaka_7, is that 1Password has something of a backup system built into it. Your data is synced across your devices so unlike with some authenticator apps, losing your phone doesn't mean you've lost your 2FA codes too. You'd need to lose access to all of your devices and access to 1Password itself to lose those completely and that's (thankfully) not a terribly likely scenario. With that said, @XIII's advice is excellent if you feel the redundancy built into the system is inadequate.

    I definitely would avoid SMS where possible, but like you alluded to, it is far better than nothing. SIM swapping is a real threat, but without SMS 2FA they only need your password. With SMS 2FA, they still need your password, plus something extra. It might not be as good as a one-time password, but it's still better than your password alone and, as our founder Dave is fond of saying, you should never let perfect be the enemy of better.

  • Zaka7
    Zaka7
    Community Member

    @XIII Thanks for that, I imagine that will be hard to do retrospectively and I would need to turn 2FA off and back on to get the code for copying? I would likely store this in 1Password anyway so probably not the best fit for me but thank you :)

    @bundtkate Thanks for that, That's a good point, I guess I have a pretty good set up and just keep looking for little tweaks to improve it when I don't really need too. I think I will just remove an SMS back up method from all of my 2FA and if it won't let me not have a back up then I'll add another OTP app instead so that I still do not need SMS.

    Then as you say, keep SMS for those that don't give me any choice. I guess my main worry was if something happened to 1PW servers for any reason, but if that did happen, I would have bigger issues anyway as I wouldn't even get to the 2FA stage :)

    Ps that saying from Dave is one of the best i've heard! I love that!

  • XIII
    XIII
    Community Member

    Thanks for that, I imagine that will be hard to do retrospectively and I would need to turn 2FA off and back on to get the code for copying?

    Yes.

  • If you have 1Password generate your TOTP codes, @Zaka_7, you can actually pull the original secret out at any time without the on/off dance. Just edit the item and reveal what's in the one-time password field and it'll be there for ya. :+1:

  • Zaka7
    Zaka7
    Community Member

    @bundtkate You're a hero!
    I think I've decided I will have 1PW look after all my 2fa tokens and remove all SMS where I can. Where I have to have a back up method, I will use Authy as a secondary method or again SMS if I absolutely have too. Thank you :)

  • On behalf of Kate you're most welcome. :)

    Ben

This discussion has been closed.