I use this, a couple of tips: set up a fingerprint unlock so you dont have to type a pin everytime; and I advise not to keep your TOTP codes only in a phone app, you can save them in KeepassXC on your pc for example.
If both your password and TOTP code are saved in the same place, that’s a single attack vector. Saving your TOTP codes in Keepass destroys the second factor part of the protection.
You can setup regular auto backups along with syncthing to keep it safe. That’s what I am doing so to store the file in multiple devices and locations.
I love syncthing, so versatile. I don’t backup the Aegis database with it only because my TOTPs are already in Keepass and because Aegis is backed up by Seedvault already (Lineageos)
Keeping it on physical paper helps in almost all cases.
1 - It separates the backups from the internet, helping prevent security vulnerabilities from stealing your MFA codes. Cloud backups along with cloud passwords means you would get caught up in any major data breach.
2 - It allows you to set up a new device without needing to have the old device. If you lost/broke your phone, then those local QR code exports are gone.
3 - People generally know how to keep physical things safe. You can put them in a bank’s safety deposit box, in a fire safe, or just in a folder in your desk. As long as they’re not also sitting near your passwords, they’re pretty useless to most people, and the likelihood that someone is going to physically try to swipe your account data is extremely low.
I also avoid the cloud for this type of stuff (so no Bitwarden on someone else’s server). All my disks are encrypted at rest, and I keep the TOTPs both in Keepass and in Aegis. Both are backed up on machines/disks I control (via Syncthing and Seedvault mostly)
I have some of the NFC/USB sticks Token2 make.
Which are neat, as you can stick the seeds on there, then retrieve them so long as you have physical access, and the passkey.
I use this, a couple of tips: set up a fingerprint unlock so you dont have to type a pin everytime; and I advise not to keep your TOTP codes only in a phone app, you can save them in KeepassXC on your pc for example.
If both your password and TOTP code are saved in the same place, that’s a single attack vector. Saving your TOTP codes in Keepass destroys the second factor part of the protection.
You can setup regular auto backups along with syncthing to keep it safe. That’s what I am doing so to store the file in multiple devices and locations.
I love syncthing, so versatile. I don’t backup the Aegis database with it only because my TOTPs are already in Keepass and because Aegis is backed up by Seedvault already (Lineageos)
Physically print out the setup QR codes, and keep them safe.
Old school, I like it. Of course KeepassXC can also show the QR codes :)
Keeping it on physical paper helps in almost all cases.
1 - It separates the backups from the internet, helping prevent security vulnerabilities from stealing your MFA codes. Cloud backups along with cloud passwords means you would get caught up in any major data breach.
2 - It allows you to set up a new device without needing to have the old device. If you lost/broke your phone, then those local QR code exports are gone.
3 - People generally know how to keep physical things safe. You can put them in a bank’s safety deposit box, in a fire safe, or just in a folder in your desk. As long as they’re not also sitting near your passwords, they’re pretty useless to most people, and the likelihood that someone is going to physically try to swipe your account data is extremely low.
Great suggestions all around.
I also avoid the cloud for this type of stuff (so no Bitwarden on someone else’s server). All my disks are encrypted at rest, and I keep the TOTPs both in Keepass and in Aegis. Both are backed up on machines/disks I control (via Syncthing and Seedvault mostly)
I have some of the NFC/USB sticks Token2 make.
Which are neat, as you can stick the seeds on there, then retrieve them so long as you have physical access, and the passkey.