![]() In the same text file you store the seed for the OTBC-DB, eg you do NOT have 2FA access to the OTBC-DB unless in a absolute emergency. The OTBC for both these password managers, you store in a encrypted text file. Of course, you do NOT access OTBC-database unless absolute neccessary. My suggestion for securely managing these, is to use 2 separate databases, once for OTBC and one for passwords/2FA. Note that once you unlock Password-DB, a malicious entity could access OTBC for the OTBC-DB and then access that too. The problem with storing OTBC on-device is that if your device is compromised software-wise, eg virus infection, trojan, copy attack etc, then you are toast. ![]() Provided the passwords: one for Passwords-DB and one for OTBC-DB are not stored outside of my brain, is it the simplest method for managing OTBC and are there any security flaws or hidden risks in this scheme? OTBC-DB <= OTBC for services + OTBC for Passwords-DB ![]() So I can either store them outside of the system or in a cross-fashion: Passwords-DB <= passwords for services + OTBC for OTBC-DB They should be stored outside of their respective password manager databases. Now, each of password managers introduces its own set of OTBC (to backup the 2FA for the master password) which cannot be memorized. In result I have the necessity for two separate password managers one for passwords, one for OTBC. So OTBC to respective services cannot be stored alongside their passwords in the password manager otherwise this would render 2FA non-existent. ![]() One of 2FA purposes is protection against using passwords obtained by breaching the password manager on non-authenticated devices. It is my understanding that OTBC should be treated with the same level of security precautions as passwords. I assume I may lose all 2FA devices and this should not prevent me from accessing the services using the OTBC. I am considering what is the best practice for securely managing OTBC. Password manager introduced its own set of OTBC. However I am mobile so I cannot use a physical vault (for example to store printed OTBC). I run password manager only on machines I own and manage. I use password manager with 2FA to store all my passwords. In addition to having multiple authentication devices, I decided for or had to generate a separate set of one-time backup codes (let's call them OTBC). I am already using 31 services with 2nd factor authentication and the number is growing.
0 Comments
Leave a Reply. |