For some time I have been slowly thinking about disaster recovery, and now following such a situation happening to my wife I have sped up the process. I am hoping some discussion can help me work through the possible solutions.
The scenario I am specifically looking at is if I am traveling, so I am away from any backups and I lose my things. I now need to get myself running again. As I see it the key requirement is to get 2FA. Once I have those, I can get my passwords and from there things are easier. Two ideas which occur to me are:
Use Ente Auth so I have cross platform access (and even web access) but would need a password only email for the 2FA to get into Ente.
Using the same password only email I could keep an email with a Keepass file of 2FA codes, again for cross platform support.
I am interested if others have thought through this type of situation and what input you could give.
For what it’s worth, you can disable the email 2FA requirement for Ente, though it’s important to note that this currently only disables it for the regular login process using your password, not for the password reset process using the recovery code they give you.
This is one of the areas I need to think about more. I normally would prefer some 2FA especially on something “important”, but 2FA becomes a problem when trying to recover from a disaster. I was thinking having the email 2FA, so effectively needing 2 passwords to get to Ente makes it more secure and makes me feel more comfortable having the information in the cloud.
My passwords are primarly reside in 1Password. I have Bitwarden Free as first backup and Proton Pass as secondary. I am keeping my Secret Key in Proton Drive and Onedrive Premium. I have 6x Yubikeys. 2x for each Password Manager. I am also storing my Password Manager master passwords as static password in my Yubis. My wife is registered as emergency contact for my 1Pass and she has similar setup except for Bitwarden.
Yubikeys were so cheap with Cloudflare deal so I bought a lot
Both TOTP and passwords from a password manager should be relatively simple to backup and access remotely. Most of the reccommended apps / programs on PG for both of those offer the ability to export an encrypted backup.
Once you have the backup you could keep it in a multitude of easily accessible places such as
a secure thumb drive
a E2EE cloud storage provider
a local storage that you can securely tunnel into via something like wireguard.
For me, I have backups on a physical thumb drive and in cloud storage, I also have an “in-case of emergencies” document where we keep with other important physical documents so that my partner could also access any of this info on the off chance I am not around to do so.
The real key is being diligent about keeping up to date backups. I try and backup / update on a weekly basis.
I think the ideal solution would be cloud-based TOTP service that can be unlocked with biometrics without depending on your device.
Then you’d have a structure like this:
Files and emails are in the cloud. Protected by password and 2FA (let’s say TOTP 2FA).
You use Bitwarden or Proton Pass to keep your passwords and 2FA seeds and these are encrypted but in the cloud.
Your master password for the password manager is something you know and won’t forget. However, you obviously should also secure the login with a form of 2FA so that your master password can’t be guessed or keylogged. But then imagine that your house burns down and you end up with nothing but the clothes on your body. How do you get into your password manager to then get access again to your email account, cloud storage and so on?
What kind of 2FA should secure your password manager?
2FA via email → useless because you are not logged in to your email anywhere (all devices destroyed) and your account is secured with a random passphrase and TOTP, which is in your inaccessible password manager
2FA via TOTP → this could work if you had a second cloud-based password manager with a different master password. So let’s say you use Bitwarden as your password manager and TOTP seed storage, and Bitwarden itself is secured by your master password and TOTP, then you could use another product like Proton Pass to only store your Bitwarden TOTP. However, you should of course use a different master password for Proton Pass. But will you remember this second master password if you never use it? Maybe not, and you’ll remain locked out.
2FA via SMS → this is normally discouraged because of the threat of SMS cloning, but actually it might not be so stupid in this case, because you could potentially get a replacement SIM from your provider if you can prove to them that you are really yourself (this is assuming you still have some kind of ID or can get a replacement ID).
2FA via Yubikey → assume it burned down in your house as well
2FA via biometrics → this would be the best and easiest way
But unfortunately there isn’t a real standard, so you can’t just set up “biometrics” 2FA for your (let’s say) Bitwarden account. There’s passkeys that are connected to your biometrics but if I understand it correctly, you still lose your passkey if you lose access to your device and/or Google/Apple account in a disaster.
Thank you for the comments. I would like to refocus the discussion. I am considering specifically the case where I am traveling and I lose everything, for example my bag with everything inside is stolen. So while I have offsite backups near home, when traveling I don’t have backups, my security key has been stolen and so on.
One way you could do this is to make a recovery email (no 2fa on this email, just a high entropy memorized password) and make that email your emergency contact for something like bitwarden.
You could also have it be an actual trusted person (instead of just another email account) if your assuming that person will be easier to contact after everything is stolen instead of using publically available resources to access this emergency email.
Even if you can’t access the email tied to your bitwarden account to manually allow the emergency contact in, after everything is stolen, you should be able to set it up to allow the emergecy contact, to access it after a certain time period.
Grantor is notified of request via email. The grantor may manually approve the request at any time, otherwise the request is bound by a grantor-specified wait time. When the request is approved or the wait time lapses, the public-key-encrypted master key is delivered to grantee for decryption with grantee’s private key.
You could then have the access set to be view only and only for the specified entries you would need to regain access. For example, you could set it be one entry with one recovery code for your vault - so that you can get in and then access the rest of your accounts.
Depending on the specified user access level, the grantee will either:
Obtain view/read access to items in the grantor’s vault (view).
Be asked to create a new master password for the grantor’s vault (takeover).
Even if you have to do this on a public machine, your emergency contacts useful information basically expires after you use the recovery code. Once you have control of the accounts, you could always change the master password, and update the recovery code for your contact, once you have a secure way of doing so.
This may be more convuluted then needed, so ill be interested to see what other say.
Thank you @Parish2555 that got the brain turning. I am thinking I could set up a free Bitwarden or Proton Pass account with no 2FA and some fake entries and fake TOTP secrets except for one which is the one for my password manager (not stored under the correct entry of course). This gives fast access with minimal risk, I would just need to remember the master password for the fake password manager and which entry has the required TOTP secret. Hopefully there will be more replies to get the brain going some more!
I am not sure this provides much other then security theater. Assuming someone has access to this vault and knows there is a recovery code a few fake ones is not going to stop them. Even if they could not find anything of use to them, if the party involved knows its useful to you or assumes it is, since its a password manager vault, it could still easily be leveraged against you.
To me, the much bigger threat of being comprimised is from stuff that is already stolen, such as the possibility your phone is not in a BFU state when it is stolen, or your personal email / vault open on your laptop at the time, than a threat actor also gaining access to this recovery method. This is why i would reccommend against adding extra barriers to being able to get into what you need as fast as possible.
I don’t think this is any more security theater than the other methods. My idea was to have 100+ logins all of which worked, but none of them is tied to me. Just one entry would have a TOTP secret which was not used. However you do make a good point that being a password manager makes it more attractive. May be best to use an email account and a bunch of emails to hide a code in.
Agree that if my devices are stolen I need to be able to deactivate things / change passwords as quickly as possible. That accursed phone is most likely switched on and an easy target. I have not given this area as much thought as needed, though a lot of this is a different conversation.
Fair enough. Maybe its less confusing to you then it is to me but, I would be worried all these fake tokens etc would end up tricking myself if I was in a panic trying to recover my stuff.
My mindset is that this type of situation is more about data recovery then data security. Data security would of been not losing access in the first place.
Whatever you choose, just make sure you have verified that you can use it to get access with nothing else around. One thing I like about Bitwardens method is you can trust it works.
Not sure what kind of phone you use. I know with GrapheneOS there is a setting to have the phone auto reboot if it has not been interacted with for a specific time. If thats not an option, most password managers also have a lock / auto logout feature that you can set to be quick, so that there is very little chance those are accessible even if the phone is unlocked.
I have 2 separate keepass databases, one for passwords, one for TOTP codes. Synced accross my devices (phone, laptop, desktop PC), also regulary backed up to USB drive on my keychain, external HDD, cloud (encrypted) and my parents computer in another country.
My backup config file (Kopia backup via webdav) is also there, so I’m able to get my files from a new device and/or new location.
One family member knows where to find master passwords if needed.
Besides my physical drives, I also backup my accounts-stuff (encrypted ofc) on a cloud folder. Many cloud providers allow you to create a link to access that folder. In case those links are long, you can also create a short, memorable link that is able to lead to that link. So technically I just need a browser to access my stuff.
I’m assuming you would be able to call your wife on a phone if all your things were stolen (and well, this would probably happen anyway to let her know what happened).
Set her up in advance with means to get into your password vault. You can do any combination of sharing the password itself or just having it somewhere safe and accessible, and having a backup code (or other 2FA method) available as well. Example:
password printed on paper somewhere in house
TOTP already saved/active on wife’s phone
I also think taking advantage of the emergency contact feature some password managers have would be a good idea, probably even easier than the above if the contact can be trusted to secure their own BW account.
I would do this instead of any method involving remembering a break-glass email account name and password because IMO, in such a situation you might have trouble remembering, and that might cause mounting panic in an already bad situation. I imagine finding or borrowing a phone that you can use would be possible (accessible via hotel/wherever you’re staying, kind stranger, etc) since in this situation we’re assuming a computer is accessible as well.
Often communication is via email. In addition due to her shift work it could be 24-30 hours before I get a reply, especially if it is something she needs to do from home. Hence why I am looking at being self sufficient.
I believe Deviant Ollam has a video that goes over part of this called Lawyer, Passport, Locksmith, Gun. He goes over a few scenarios similar to what you’ve mentioned and some possible solutions and plans for handling it.
Then I think a link to your backup folder on cloud would be the most minimal step to get your stuff, in case you can’t access to any required device.
Maybe its less confusing to you then it is to me but, I would be worried all these fake tokens etc would end up tricking myself if I was in a panic trying to recover my stuff.