For those that are interested, another way to save your 2FA seed is a KeePass-compatible application (KeePass, KeePassX, etc.)
1 Answers
The option mentioned in the video by Ryan could be a potential security breach, if the permissions to that S3 Bucket are not configured appropriately. So the way mentioned here to store the information in a secure application seems to be way more appropriate.
Nevertheless storing a 2FA/MFA seed seems to be not a good idea in general, when you ask me.
Fair enough – it’s the classic CIA tradeoff. If I lose or wipe my phone, I want the seeds to be available to me so I don’t have to go through the rigamaroll of unenrolling the phone and re-enrolling. To me personally, that’s worth a small bit of loss of Confidentiality and the potential to lose Integrity, though I would argue that a long, strong passphrase on the database goes a long way towards mitigating the threat. All of that being said, if you’re looking at Enterprise management, something like the root MFA should always be a physical token so you avoid this issue altogether.
What about using some kind of third-party MFA authentication such as Authy with auto-backups, for instance? Is it safe enough?
From my reading, the methodology they’re using to encrypt your stuff is sound (encrypt before anything leaves the device, they don’t store unencrypted data on their infrastructure, etc). From a security perspective, I’d say there’s no reason not to use them, especially since they’ve been around for a while, and I don’t recall any serious badness happening with them. On a personal level, I’ve had usability issues with Authy in the past, including a weird instance where it looked like my seeds were all backed up, but the versions were wrong. I’m fairly certain that was a case of PEBKAC but I still prefer to use a method I control – that way if something goes wrong, there is only one person to blame 🙂