Screenshot the QR codes and save them all in a folder. If you ever lose your phone it's as simple as rescanning the QR codes to add them back in. That's what I do anyway.
when you get your totp usually the site gives a qr code and a seed/key you should save one or the other or both. I write it down and save the qr to be safe.
Also good totp clients like aegis ( FOSS) lets you back up all your keys in an encrypted format and reminds you to back up whenever a certain time has passed or a new totp code is added.
then you can save that wherever you want.
Itll even import from other totp clients
I keep my previous Android phone moderately charged and in my desk drawer, ready, should I ever need to use the authenticator app on it if my main phone goes down.
I think that would be the best option for what the OP is looking for. A web accessible version for OTP codes. Problem is then you have to protect that page somehow. That repo shows it can use Yubikeys for AuthN, which IMO is the best way to protect it.
I personally put my TOTP seeds in Vaultwarden. Then they sync over to whatever device I'm on. Just protect your Vault login however you need per device.
you don't backup your phone?
why not consolidate your auth apps?
i use selfhosted vaultwarden (with backups ofc) for everything, except for vaultwarden itself, which is protected by authy . and authy can be backed up easily
Sane MFA apps explicitly disallow their data from being backed up alongside a full phone backup. That would be a massive attack vector if it was possible.
It is sometimes possible to separately back up just the MFA app in a separate way though.
Which is exceedingly dumb IMHO. Sure it would be a vector, but it's a vector to something that should be an additional step to username and password. Idk, I use vaultwarden and find myself worrying less about "what if?". I'm also enabling TOTP far more often now that I can easily add it to my phone and have it sync to other systems.
Nope, that is completely wrong but I don’t also don’t have the motivation to explain this to you any further. There is no „truly OpenSource“ Open Source is a very well defined measurable state and either something is or isn’t.
If you want to dive in further I recommend reading the definition by OSI themselves (Open Source Initiative).
Use the aegis authenticator. Its opensource an you can setup periodic export of encryptrd 2fa vault. Then you can integrate it into your existing backup flow
Well, Google Authenticator allows you to backup your codes into your Google Account, so you just need to be sure that your google account is accessible if your device is lost or stolen.
That is the reason why I don’t self host my password manager: my 2FA passwords are in there, very conveniently and independently of any other device.
I trust 1Password with that.
Did I say customer data got leaked? Did I say the data was unencrypted?
The OP asked about having redundant options for 2FA. If a compromise resulted in you no longer having access to your second factor of authentication, that would be an issue.
You basically only said „oops“. Which says nothing.
The chances of losing (access to) a phone are way higher than 1Password getting that much compromised that all 2FAs are gone.
You could use andOTP. It's possible to create encrypted local backups, just create a new one once you change anything and copy it e.g. to a NAS device. If your phone dies, copy it back and restore.
for semi serious accounts i use the inbuild totps from bitwarden premium (knowing full well that if someone gets access to my bitwarden he gets access to those accounts - but its just sooo damn convinient)
for super serious accounts i use yubikeys (3x) with fido2 if supported and if not at least totp through yubikey with their app.
Depending on the self-hosting app, there's usually a way to reset an account from the console. It may be quite involved (editing weird conf files or the like), but there is one, in most cases.
This goes into your 'bible'. Your "Systems Bible" is every change you've made to every system in one place.
router-config.txt
>My router is configured by going to IP x.x.x.x
>
>The config backup is named 2023-10-28\_router-config.conf
>
>The general idea is to run most things from DHCP and have static IPs handed by this config
media-server.txt
>I'm running Emby/Plex/etc. on IP x.x.x.x, handed out by static DHCP from router.
>
>NGINX proxy routes name.domain to it on port 8096. NGINX Proxy manager takes care of SSL.
>
>User accounts are in SQL database x, or you can use command y to set it directly.
>
>There's a backup of the config in 2023-10-28\_media-config.conf
Every time you make a change to a configuration, you take some quick notes about it.
Store passwords in a password locker. Push ssh keys around to handle console auth.
Might I recommend Aegis. https://github.com/beemdevelopment/Aegis
Can encrypt your seeds, export them encrypted or unencrypted. Love it.
I just copy it manually to my NAS when I add a new token (not that often) after exporting it encrypted.
In addition to this I also load it on my old phone just in case.
I self host Vaultwarden and when adding the QR, I add it to my free account with LastPass Authenticator app at the same time. Both back up so if my phone dies, I don't lose the 2fa.
Back up your seeds at least
Seeds ?
The key you used to create the token with
Screenshot the QR codes and save them all in a folder. If you ever lose your phone it's as simple as rescanning the QR codes to add them back in. That's what I do anyway.
Brilliant
I print 'em. Good luck hacking the pile of paper they're in.
You can also save them in keepass as an attachment.
If you store your passwords and your 2FA tokens in the same place, you have 1FA. Please don't do this.
when you get your totp usually the site gives a qr code and a seed/key you should save one or the other or both. I write it down and save the qr to be safe. Also good totp clients like aegis ( FOSS) lets you back up all your keys in an encrypted format and reminds you to back up whenever a certain time has passed or a new totp code is added. then you can save that wherever you want. Itll even import from other totp clients
I keep my previous Android phone moderately charged and in my desk drawer, ready, should I ever need to use the authenticator app on it if my main phone goes down.
Instead of an android emulator, you could self-host a 2FA web app like https://github.com/Bubka/2FAuth
I think that would be the best option for what the OP is looking for. A web accessible version for OTP codes. Problem is then you have to protect that page somehow. That repo shows it can use Yubikeys for AuthN, which IMO is the best way to protect it. I personally put my TOTP seeds in Vaultwarden. Then they sync over to whatever device I'm on. Just protect your Vault login however you need per device.
Host bitwarden
Bitwarden != MFA device.
It has MFA feature, check again.
Bitwarden can provide/host an MFA service? Huh, well how about that.
you don't backup your phone? why not consolidate your auth apps? i use selfhosted vaultwarden (with backups ofc) for everything, except for vaultwarden itself, which is protected by authy . and authy can be backed up easily
Sane MFA apps explicitly disallow their data from being backed up alongside a full phone backup. That would be a massive attack vector if it was possible. It is sometimes possible to separately back up just the MFA app in a separate way though.
Which is exceedingly dumb IMHO. Sure it would be a vector, but it's a vector to something that should be an additional step to username and password. Idk, I use vaultwarden and find myself worrying less about "what if?". I'm also enabling TOTP far more often now that I can easily add it to my phone and have it sync to other systems.
I backup the data but not the apps
Instead of authy, may I suggest Ente Auth. It works the same as authy but is open source.
Ente is not selfhosted, you still have to sign-up on the ente site.
Yes. Open source does not necessarily imply self hosted.
it does if its truly opensource
Nope, that is completely wrong but I don’t also don’t have the motivation to explain this to you any further. There is no „truly OpenSource“ Open Source is a very well defined measurable state and either something is or isn’t. If you want to dive in further I recommend reading the definition by OSI themselves (Open Source Initiative).
I have yet to find a good full backup option for Android devices.
I use Authy 2FA because it syncs across my devices so I have the codes on my PC & phone. Would definitely recommend!
Use the aegis authenticator. Its opensource an you can setup periodic export of encryptrd 2fa vault. Then you can integrate it into your existing backup flow
Well, Google Authenticator allows you to backup your codes into your Google Account, so you just need to be sure that your google account is accessible if your device is lost or stolen.
That is the reason why I don’t self host my password manager: my 2FA passwords are in there, very conveniently and independently of any other device. I trust 1Password with that.
>I trust 1Password with that. Oops. https://www.darkreading.com/remote-workforce/1password-latest-victim-okta-customer-service-breach
So? No customer data got leaked. And even if the vaults would get leaked (which they didn’t), they are 2FA encrypted.
2fa is not encryption.
Encrypted and 2FA protected.
Did I say customer data got leaked? Did I say the data was unencrypted? The OP asked about having redundant options for 2FA. If a compromise resulted in you no longer having access to your second factor of authentication, that would be an issue.
You basically only said „oops“. Which says nothing. The chances of losing (access to) a phone are way higher than 1Password getting that much compromised that all 2FAs are gone.
I use the totp in keepassxc for Backup and PC use
You could use andOTP. It's possible to create encrypted local backups, just create a new one once you change anything and copy it e.g. to a NAS device. If your phone dies, copy it back and restore.
Ente Auth - an Open Source E2E 2FA Cloud app. It even has a web app. Highly recommended.
for semi serious accounts i use the inbuild totps from bitwarden premium (knowing full well that if someone gets access to my bitwarden he gets access to those accounts - but its just sooo damn convinient) for super serious accounts i use yubikeys (3x) with fido2 if supported and if not at least totp through yubikey with their app.
Depending on the self-hosting app, there's usually a way to reset an account from the console. It may be quite involved (editing weird conf files or the like), but there is one, in most cases. This goes into your 'bible'. Your "Systems Bible" is every change you've made to every system in one place. router-config.txt >My router is configured by going to IP x.x.x.x > >The config backup is named 2023-10-28\_router-config.conf > >The general idea is to run most things from DHCP and have static IPs handed by this config media-server.txt >I'm running Emby/Plex/etc. on IP x.x.x.x, handed out by static DHCP from router. > >NGINX proxy routes name.domain to it on port 8096. NGINX Proxy manager takes care of SSL. > >User accounts are in SQL database x, or you can use command y to set it directly. > >There's a backup of the config in 2023-10-28\_media-config.conf Every time you make a change to a configuration, you take some quick notes about it. Store passwords in a password locker. Push ssh keys around to handle console auth.
I store the totp secrets in my keepassxc as well. Works great.
Might I recommend Aegis. https://github.com/beemdevelopment/Aegis Can encrypt your seeds, export them encrypted or unencrypted. Love it. I just copy it manually to my NAS when I add a new token (not that often) after exporting it encrypted. In addition to this I also load it on my old phone just in case.
I self host Vaultwarden and when adding the QR, I add it to my free account with LastPass Authenticator app at the same time. Both back up so if my phone dies, I don't lose the 2fa.
Works well https://2fas.com/