One of the biggest issues with 2fa is that normally it’s either an easily spoofable phone/email or an app locked to a device.
This is why I use a password manager (pass) that is synced across all of my devices (via a private self hosted git for version control) that I can send 2fa QR codes to cameraless devices via screenshots using zbarimg and have every device capable of 2fa verification with the pass-otp extension.
I know this setup is a bit complicated as just dealing with git or importing a gpg key would give most people I know sense of existential dread. I am curious to see what others use for similar functionality.
I’m just using my password manager in place of the authenticator app.
So rather than using an app like Google authenticator or Authy to see what the new random sequence is for the MFA, my password manager stores that QR as a string and will display the same random sequence that a normal MFA app would.
They key difference is that my MFA is synced across any device that I have configured my password manager on using the same cryptographic keys and version control history.
So if my phone is dead, lost, or stolen, I can still access my banking account via MFA as normal.
I suppose it brings up the idea of what a “factor” is in how it’s used for MFA. If a factor is supposed to be a different device, a different app on the same device as your password manager, or just a different passphrase that’s constantly changing.
I see. IIRC from school, “factor” actually has a definition - it’s either something you have (keycard, phone), something you are (biometrics) or something you know (password).
For authentication to be truly an effective MFA, it would have to require at least two of those factors. And that’s also why I.e email isn’t really a MFA.
So, I guess it boils down to where are you storing your passwords. If they are also in the password manager, then, its only 1FA, because knowing your password manager password is enough to defeat it. (Or, if someone finds a zeroday in the pass manager).
One of the biggest issues with 2fa is that normally it’s either an easily spoofable phone/email or an app locked to a device.
This is why I use a password manager (pass) that is synced across all of my devices (via a private self hosted git for version control) that I can send 2fa QR codes to cameraless devices via screenshots using zbarimg and have every device capable of 2fa verification with the pass-otp extension.
I know this setup is a bit complicated as just dealing with git or importing a gpg key would give most people I know sense of existential dread. I am curious to see what others use for similar functionality.
Is that second factor, though? If I understand it right, you are basically generating your MFA from your password manager, is that so?
I’m just using my password manager in place of the authenticator app.
So rather than using an app like Google authenticator or Authy to see what the new random sequence is for the MFA, my password manager stores that QR as a string and will display the same random sequence that a normal MFA app would.
They key difference is that my MFA is synced across any device that I have configured my password manager on using the same cryptographic keys and version control history.
So if my phone is dead, lost, or stolen, I can still access my banking account via MFA as normal.
I suppose it brings up the idea of what a “factor” is in how it’s used for MFA. If a factor is supposed to be a different device, a different app on the same device as your password manager, or just a different passphrase that’s constantly changing.
I see. IIRC from school, “factor” actually has a definition - it’s either something you have (keycard, phone), something you are (biometrics) or something you know (password).
For authentication to be truly an effective MFA, it would have to require at least two of those factors. And that’s also why I.e email isn’t really a MFA.
So, I guess it boils down to where are you storing your passwords. If they are also in the password manager, then, its only 1FA, because knowing your password manager password is enough to defeat it. (Or, if someone finds a zeroday in the pass manager).