How do you backup you’r 2fa backup codes.
I usually hash the file and upload it to my iCloud and OneDrive. Of course, a printed version of it always exists in my home or travel suitcase if I travel.
Two most antiprivacy cloud storages…just wrong order Onedrive
is far worse than iCloud
when it comes to privacy respecting.
I use Stratum Auth (formerly Authenticator Pro), and it can automatically backup when changes are made. I upload that backup file to Proton Drive.
I’ve also written down my Bitwarden (to access the password which I used to encrypt the backup) and Proton (to access Drive) passwords and TOTP secrets (to be able to use BW & Proton TOTPs incase something happens).
Encrypt with tird and store in public.
Although OneDrive is a terrible cloud storage provider, you can use Cryptomator with it.
@Astatine I may be wrong, but cannot one use Cryptomator with any cloud out there?
I upload them to Proton Drive and keep a local copy.
You can use it with any cloud storage provider, and your files will be encrypted with your own key, which is the password you set to unlock it.
I have a second keepass database, and it’s password isn’t in my main keepass database.
I’m exploring some Android apps (Aegis, Ente Auth, Bitwarden Auth), and all have their own backups or export functions.
Edit: Why Keepass? Because Keepass clients that can decrypt are available on just about every platform on earth. Minimal pain to recover.
Will move this further: you do not even need client to decrypt Keepass DB. All you really need is cli
access and some really basic knowlege.
Yep, the command line would be a client to the database.
One other thing that could be done, if one’s mobile TOTP app has a file export capability, a file could be attached to a Keepass entry and then backed up, perhaps with other sensitive data and the like.
I add them to my password mamager
I create a backup and store in proton drive
I also store the backup in an cryptomator vault on a USB drive
In this context it doesn’t matter, does it? I can’t store it on Proton because that’ll be putting all my eggs in one basket, and I should know better than that. I use OneDrive because Hotmail is my primary email, and I am not planning to change it to Proton or any other operator anytime soon.
If someone can figure out my salts for my different files (content and filenames separately), they probably have earned a right to my 2FA backup codes.
Jokes aside, these are backup codes; if I am using them, something has most likely gone wrong, and in that case, I want to spend as little time as possible restoring my accounts and passwords. Again, this aligns with my threat model and may not apply to others.
I use paper-age to save them both digital and on paper.
Looks interesting, thanks for sharing!
I actually do a reverse. I use Aegis as the primary. I then downloaded it unencrypted to my host, and then one by one add to a KeepassXC DB. After you do the initial move, each time I have to add a new one, I then just add the secret to a new entry in KeepassXC. Keepass AND aegis backups are in a privacy-respecting cloud.
I just keep a master list of all 2fa secrets in a separate KeepassXC database and sync it to the cloud.
Why not simply export the encrypted Aegis database? Manually entering them into a KDBX database seems like extra effort for no tangible benefit.