0

In case we lose access to our 2 Factor Authenticator, we can use our one time recovery codes to regain access to our accounts

But what if we store the setup key itself instead of the recovery codes? We can still recover the account by adding the setup key to another authenticator.

I think recovery keys are better because they can be shared with other trustable people to keep them safe for you. If a recovery code has been used, we get notified. And they are limited in number.

Are there any other security implications?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Balu
  • 1
  • 1
    @schroeder Authenticators are capable of working without internet access. Which means that the secret for code generation lies in the setup key itself. So it's not possible for setup keys to expire without the authenticator connection itself expiring right? I've not tried this with a large time gap, but I was able to use the same setup key for two devices with a few minutes gap – Balu Aug 04 '21 at 16:04
  • It's pretty much what you say: from the setup key a unlimited number of devices can be added to the account. So an attacker can gain unnoticed access to your accounts. – Stefan Lorenz Aug 04 '21 at 17:10
  • Those registry keys (if they are just the 2FA TOTP seeds) are forever things -- as noted, they can be used to enroll an unlimited number of times. They don't contain any other info (like an expiration) – Joe Aug 04 '21 at 18:21
  • @Balu that's not universally true. Some QR codes expire: https://security.stackexchange.com/a/253991/6253 – schroeder Aug 05 '21 at 10:16

1 Answers1

1

I usually save both. They serve different purposes, and even if they can be used in place of the other, they are best used for their own purposes.

The setup key is used when you lost your device, or you setup a new device. Just importing the key is easier than to get online with the one-time backup code, removing the 2FA, and inserting the next one. And depending on the service, there's a lockdown period when you are not allowed to perform some actions, like withdrawing crypto coins, for example.

And the one-time backup codes are good when you don't have the device, but you didn't lost it. Maybe the phone was left home, or the battery died and you got no charging cable with you. So you use the one-time code, get online, do whatever you need, and use the 2FA on the phone the next time.

Usually the setup key is securely stored on the password manager: encrypted database, at least PIN-based security, and so on. Recovery codes are shown on the screen and you have to securely store it, and most of the time they end up on a recovery-codes.txt, on the desktop. So if one attacker manages to get someone's setup key, the chances are high that he got the recovery codes before that.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • But if the password manager somehow gets hacked, it would give the attacker both the passwords and 2FA keys right? It sounds contradictory to the purpose of 2FA to store them in the same place (https://security.stackexchange.com/a/73531/264243) – Balu Aug 05 '21 at 03:13
  • @Balu As always, it's a tradeoff. Storing everything in a single password manager is generally easier, but is less secure *if your password database is compromised*. Personally, I feel it's unlikely enough that such a situation occurs that I'm happy to accept the risk. You may not feel that way, and instead want to consider a separate "password" database for 2FA details or hard copy printouts of the codes (more secure, but has considerable drawbacks in terms of use). – Anthony Grist Aug 05 '21 at 13:05
  • @Balu Non practical security is useless, it should be secure enough and should be practical to daily use. You can have 2 different password managers, one storing the password and another the TOTP tokens, but in time you will get frustrated of needing both and end up not activating 2FA on every service, or end up putting TOTP tokens on the password database. – ThoriumBR Aug 05 '21 at 13:14