2

For MFA I now use Authy (owned by Twilio) instead of Google Authenticator. I find Authy more convenient because it syncs your accounts between several devices and several authy installations which Google Authenticator will not do. Authy also displays the remaining time before a token times out so that you can see if it is about to expire. I also take a screenshot of every QR code so that I can register it again with a new device or a new MFA app. I can confirm that a token from Authy works to authenticate with AWS. There is also another MFA app named FreeOTP which I did not try.

If someone "found" that image file from the QR screenshot, and they "guessed" my password, what would prevent them from impersonating me without me noticing it?

For example, someone has FreeOTP, has the QR code screenshot and knows my AWS password (highly unlikely but possible). I tested reading an screenshot of a QR code and register it with FreeOTP. FreeOTP did start generating a valid token (same as in authy). 

What I really want to know is: Is it a security concern to save a screenshot of the QR code?

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
Niklas Rosencrantz
  • 450
  • 5
  • 20
  • Uh, `I also take a screenshot of every QR code so that I can register it again with a new device` - but I thought Authy would do this for you? – Clockwork-Muse Aug 16 '19 at 18:31

2 Answers2

3

The QR code used on setting up MFA contain the seed that is used for the MFA process. That's what allows you, having that initial QR code, to set up another client with the same codes.

The drawback of this is that, just as you can set up a second client, a third party that got hold of those QR codes, could do that as well. Thus, if someone got that QR and password, it would have all needed information to log in as you.

I would say it is a security concern only depending on how it is being stored. You may store those QR, but I would recommend treating them as passwords, note they guard (half the) access to the relevant account. For instance, you may want to rather than syncing them with the cloud like other photos to save them in a password manager instead.

PS: It's equivalent here that you are using Google Authenticator, Authy, FreeOTP or other client. Most likely, the MFA is using a TOTP token, as defined on rfc 6238. which many clients support.

Community
  • 1
Ángel
  • 17,578
  • 3
  • 25
  • 60
  • 1
    Personally I'd avoid storing the screenshot anywhere online. Print it out, and store it in a safe. That's likely FAR more secure than storing it in any online account. In an online age, passwords being stored in any computer is a potential threat. – Steve Sether Aug 15 '19 at 16:11
2

You didn't say where you were saving the screenshot, but I think it's best to save it on paper (as Steve Sether said in a comment).

But I would worry even more about this "synchronisation" that you claim is a feature. Passwords, or things equivalent to passwords, should never be synchronised, and definitely not under the control of any proprietary software.

I strongly suggest you re-acquire all TOTP tokens from the source websites, use local-only (no sync!) apps on Android (I use "andOTP", which has its own PIN/password on top of the phone's own locking), print paper copies of the QR codes if you like, then use them to initialise any other phones you need to.

Don't wait till after someone finds a hole in whatever proprietary app you're using, or they cop to having insecure AWS servers having leaked all the secrets, or something like that.

Please note that I am not against any particular company in this aspect; I am against ALL of them!