So far, I use mine only for my password manager, and use TOTP for everything else. It is a pretty convenient balance, and
But this is just stage one, I plan to consider other accounts as I become more familiar and comfortable with hardware 2fa, and as I think through my strategy. Strong contenders for future use are (1) Primary E-mail (2) Github (3) AppleID (4) possibly some local stuff related to a linux server (5) ideally financial services, but I don’t expect my banks will ever support hardware 2fa.
I want to use them at banks where it matters most but the banks want SMS 2FA and all local banks available in my country only have SMS 2FA or same device 2FA which is only a slight advantage over SMS…
I think I have them on about 10-ish accounts. I store my TOTP secrets there as well.
If you are asking me? I use my password manager for TOTP. If you are asking @HauntSanctuaryI think they are saying they use a Yubikey (or equivalent) to store their TOTP secrets.
There is a Yubikey app for Android/iOS/Desktop OSes that can playback TOTP for you. But once it is in, you cant re-extract the secret key. You’d have to remove the TOTP on the specific account service setting and re-enroll/re-activate it to get a new secret.
Bitwarden and almost nothing else because nothing else I use supports it. I used it for Google when I used Google.
I want to use them at banks where it matters most but the banks want SMS 2FA and all local banks available in my country only have SMS 2FA or same device 2FA which is only a slight advantage over SMS…
My bank offers SMS 2FA or in-app TOTP, but when I went into the branch, I saw employees sign in to their computers with a Yubikey. I don’t think the bank has enough confidence in their customers’ resourcefulness to implement Yubikey 2FA for bank accounts.
Agreed. That is probably a fair and accurate analysis. For a typical bank the amount of customers who even know what hardware 2fa is–let alone who would take advantage of it if it was an option–is probably closer to 0% than 1% for most banks. Still it would be great if it was offered as an option for those who want or need something other than SMS or E-mail 2fa.
I use it for the accounts that if compromised, could compromise the rest of my accounts: my password manager, current and old email providers and domain registrar. For the rest of places, I use TOPT (if they support it) stored in my password manager
I put my TOTP in KeePassXC for a minute, but then I didn’t like the idea of everything being in a single app,even though i see it as being extremely secure since I only have the database in my cloud, phone, and laptop that stays at home. Very very very small chance of someone ever getting it.
I keep my TOTP in Yubico Authenticator, but I keep a copy of the secret key in my password manager.
I keep my TOTP in Yubico Authenticator, but I keep a copy of the secret key in my password manager so I can use it with a different app if I ever want to.
I think it may be best if you keep the TOTP secret in another database with a different password from your main .kdbx file. Otherwise it will be functionally the same thing and the attacker just need to take another step.
Alternatively you can print it but consider using an older printer with less/no telemetry compared to the “modern” printers that connects to the internet and do telemery (looking at you HP, Epson and Canon).