This is why I use SMS as my second factor for my Google account. Much harder to lose. It could be vulnerable to sim swapping attacks, but I consider Google locking me out of my own account a more likely threat (and frankly I'm probably not a high-profile enough target for anyone to bother with that, and in any case they'd still need my password).
Don't use Twilio Authy. From https://raw.githubusercontent.com/blues-lab/totp-app-analysi... : "the Twilio Authy app and Zoho OneAuth app each store backups on their own servers. This means that any user of Twilio Authy or Zoho OneAuth who enables cloud backups is unknowingly sending those companies the names of the websites/services they use and the usernames for their accounts on those platforms."
And
"By default, each of Twilio Authy, Yandex.Key, and Salesforce Authenticator also relied solely on SMS OTP to authenticate users during recovery, but did encrypt TOTP backups using a key derived from a password before uploading them to the cloud. To compromise the backup, an attacker who hijacks the phone number will still need to conduct an offline attack to guess the backup password.
Me too. Although this thread is making me wonder if I'd be screwed if I somehow lost access to both of my authenticated devices. (The 'house burns down' scenario.)
Edit: looks like you can fall back to SMS (along with backups password) to add a new device.
Instead of SMS, get a pair of yubikey recommended by some other posters, so you are not depending on your mobile provider as they own the number and it is just "rented" to you.
...so you are not depending on your mobile provider as they own the number and it is just "rented" to you.
In the US, porting wireless numbers has been mandated by the FCC for almost 20 years. I'm feeling my age, as I remember being excited during the process and when it finally happened.
And if you have an Android phone you don't even need a pair of hardware keys, one is enough as backup, just use your phone as the main key: https://www.youtube.com/watch?v=Nhz4YLay0zc
I think you can also do that with an iPhone and the Google Smart Lock app.
For my phone, I'm already logged in and never get any future challenges. I needed the Yubikey when I first logged into my phone, but after that the phone has been authenticated. If I unlink my phone to my Google account I'll need the Yubikey again, but I don't normally do that. So normally I don't carry a Yubikey with me, like when I go to the store and what not.
That said, I do keep a Yubikey with me in my bag when I travel in case my phone breaks and I need to authenticate into a new device. I do take a Yubikey with me going to and from the office as there are other services and platforms which do challenge my Yubikey more often.
I have a yubikey on my keyring. It's superior to sms 2fa in everyway. Its almost impossible to damage a yubikey- phones can easily be broken or stolen. You can have multiple keys linked to your account- Google only let's you have one phone. Yubikey can't be sim swapped. Never needs to be charged or have cell reception, no problems with sites not accepting international phone numbers.
The only downside is that Google is the only site I used that supports it.
I keep one on my keychain in my pocket and one at home in a fireproof box, plus a backup one that I haven't even opened next to the backup so if I lose the keychain one I have another ready to go as my "new backup".
As others have commented, on your phone you rarely ever need to authenticate, so I keep mine at home.
If you buy a Titan Key you get two (USB-A, USB-C), so sticking one of them in your safety deposit box, locked desk drawer at work or another secured space is a good backup.
Personally, I don't, since I've never wanted to log into my Google account on a device I encountered while out of the house. I'm not really sure why you'd ever do that IMO.
This should be fine: Using your phone as SMS 2 factor authentication is a separate thing as assigning the phone as "your phone" in your Google account (which works as an account recovery too).
If you don't have your phone setup as "your phone" and they clone your SIM they can use your number to get 2FA codes potentially, yes, but they still need your password to log in. Supposedly they won't have that
I mostly agree with you, but be careful how often you apply this logic. People who are not already a target can be just as useful, for example when needing to frame someone else for a crime. I mean, who'd care about nicoburns if they disappeared, right?
