1

I'm implementing Google 2-Factor Authentication on some servers in my company.

When configuring Google 2FA on client computers, 5 emergency codes are generated to be used if a user forgets his master password or loses access to his soft token application.

I would like to save these emergency codes on some centrallized safe place and I was thinking about placing them in some write-only bucket at Amazon s3.

Has any of you done it before? do you have an better suggestion?

Itai Ganot
  • 10,424
  • 27
  • 88
  • 143
  • 5
    USB stick in a safe-deposit box at the bank. Placing things like this in "the cloud" is just asking for trouble. – Michael Hampton May 24 '16 at 09:36
  • they're essentially skeleton keys, I wouldn't lock them where an ordinary key could find them, certainly don't put them on the internet – Sum1sAdmin May 24 '16 at 09:42
  • @MichaelHampton gave the answer...should not be in a comment, but an answer. And I'd extend it to say to make a few copies in case one goes bad. – Peter May 26 '16 at 11:07

1 Answers1

1

@MichaelHampton is right. But I would probably not use an USB stick but a printed sheet of paper in a sealed envelope.

In the scenario of a lost smartphone and missing Google Authenticator it might not be that relevant, but often in case of an emergency there are several things going wrong. And reading a sheet of paper will nearly always be possible.

Seal it, so you know that it was not read by everybody and you know, that it was used.

cornelinux
  • 229
  • 1
  • 7