0

Most accounts with two factor authentication (2FA) provide you with backup codes to use in case your phone is lost or stolen. For example, Google provides a list of 10 backup codes when setting up 2FA. These codes need to be stored securely but also need to be accessible. If anyone is able to obtain the 2FA codes, they can bypass 2FA on my account.

Some people have suggested printing out the codes and storing them in your luggage. Instead, I've been putting the backup codes in a digital crypto store with a unique key known only to me. I am using client-side encryption which requires special software which I may not have access to while traveling.

As my phone is the only computing device I have when I travel, I'm trying to cut out the requirement for decryption software. I'd also like to retain control of my keys so a vault with key knowledge (Dropbox, Google Drive, etc) is also out of the question.

Therefore, I am considering another option. Instead of storing the backup codes in a digital vault that requires software for decryption, what if I encrypt them with the manual one-time pad method (text char + key char then mod 26) and make the ciphers publicly available? When I lose my phone, I can decrypt the ciphers by hand with the key I memorize without needing special software.

This provides a couple additional benefits:

  1. I can store the encrypted backup codes in multiple locations such as my wallet, my luggage, and on a publicly-accessible webpage.
  2. I only need to memorize one key for all my backup codes across multiple accounts.
  3. It does not matter if my backup code ciphers get lost or stolen.

My question is: Is this a secure method for storing 2FA backup codes? What are the security risks? What am I overlooking?

Justin J Stark
  • 151
  • 7

1 Answers1

1

I did my own research on this and encrypting the 2FA codes with the One-Time Pad method and a non-obvious phrase is unbreakable due to the uniformity of the 2FA codes.

When using One-Time Pads (OTP) to encrypt a sentence, the key must be uniform to guard against frequency analysis. But in general, either the plaintext or the key need to be uniform. Google Authenticator and other 2fa providers use a hash generated by SHA-1 to generate the 2fa codes which is the standard for HOTP (RFC4226) and TOTP (RFC6238). While SHA-1 may not be perfectly uniform, SHA-1 is nearly-uniform and close enough to uniform that frequency analysis is not a feasible attack. Therefore, any non-obvious key such as an easy-to-remember phrase or sentence can be used to encrypt the 2fa codes.

One weakness of this is if you use the same key to use a One-Time Pad to encrypt all your 2fa backup codes and one of your codes gets brute-forced, the attacker can derive the key and then decrypt all your codes. While it is standard practice for account providers to rate-limit logins to help prevent brute-force attacks, some account providers may have worse protection than others and it should not be assumed that all account providers have adequate protection. Your 2fa backup code security is then only as good as the weakest account provider. Therefore, you should use a different key for each account which negates one of the major benefits of this method: that you only have to memorize one key.

Community
  • 1
Justin J Stark
  • 151
  • 7
  • They use a hash to generate the 2fa tokens. But that doesn't say anything about how the backup codes are generated. Presumably these are just random from a CSPRNG, which violates the security properties to really call it a one-time pad. – mikeazo Mar 02 '18 at 16:18
  • 2
    That being said, lets say I have your username and password and I am trying to brute force one of your backup codes. One of the reasons the One-time-pad is so secure is because you have no way of knowing for certain whether or not the correct key was used. You can produce all possible valid plaintexts and have no idea whether or not a possible plaintext you got from guessing a key was correct. In your case, however, there is a way to know. Enter the backup code and see if it lets you in. – mikeazo Mar 02 '18 at 16:21
  • @mikeazo I get what you mean. If I use the same key for the codes across multiple accounts and an attacker can bruteforce one then they have the key and can decrypt all of them. That is definitely a weakness. However, having the cipher doesn't give you an advantage to brute-forcing the first one. Most account providers rate-limit by the account provider can prevent bruteforcing since codes change every 30 seconds. But your point is taken that one weak provider could reveal codes for all other providers unless each account's codes are encrypted with a unique key. – Justin J Stark Mar 02 '18 at 19:43
  • 1
    just remember, security is all about tradeoffs. Personally, if I used an online PW-manager and had 2 factor turned on for it, I would probably print the codes, stick them in a locked box and store them under the bed. If I was away from home and needed a code, I'd prefer to have no access than to introduce additional vunerability. It is all about tradeoffs and how you want to balance them. – mikeazo Mar 02 '18 at 19:46