Bruce Schneier on security tokens (hardware 2FA)

https://www.schneier.com/blog/archives/2019/05/on_security_tok.html

Mark Risher of Google extols the virtues of security keys.

Cory Doctorow makes a critical point, that the system is only as good as its backup system.

1 Like

This is one of the major annoyances I have with a lot of services that implement U2F support. They only support one key, and they make TOTP or even SMS mandatory as a fallback. It’s better than nothing and I’ll still always use it, but it just makes no sense. Google implements it sanely for the most part, although if you’re not part of their Advanced Protection you still have to generate 10 backup codes.

I suppose it makes sense though. Many online services were not developed with absolute security in mind.

1 Like

Your already lucky that they over TOTP, there are still tons of services that don’t offer anything besides SMS, or 2FA at all for that matter. What I hate with burning passion is mandatory backup codes. I mean for real, I go out of my way to use a 25+ char password and 2FA TOTP, then why do they think I want someone with some random 10 char code to get access to my account.

Is there any easy and surefire way to know what the fallback methods are, for a given service ? Or do you need to explore possibly hidden recovery options ?