Benad's Web Site

Two-factor authentication used to be required only for "high security" environments, like the millitary or banking. Usually in the form of a physical "key fob", it was a dedicated "something you have" as the second factor. And then, in the early 2010s, Google released their Google Authenticator App, using your phone as the "second factor". Since its early versions were open source, its core code generation algorithm, ToTP, was eventually formalized in RFC 6238 and gained wide adoption.

The core problem of that "something you have" as a second factor is that it can be lost, or has to be replaced, both of which often happens with cellphones. What can also happen is that the ToTP App has a bug and wipes out your keys, something that happened in an early version of Google Authentication.

The recovery process varies from one site using ToTP to another, though it usually involves using some "recovery codes" you should keep in a safe place. This was fine when a user only had only a handful of two-factor protected accounts, but nowadays, as two-factor is becoming mandatory in many sites, even for just downloading a free game, recovering dozens of accounts can become tedious.

So, should there be a way to backup and synchronize those two-factor keys? In its original physical key fob form, part of its high security is that it was not only physical, but almost impossible to duplicate. If you could transfer and copy your "software key fobs", then you add the additional risk that somebody could steal your keys and your password. Still, a few two-factor apps offered to backup and sync your keys, encrypted with another password, for example Authy and Microsoft Authenticator, and now even some password managers like Bitwarden, LastPass and 1Password.

This does raise the issue of "vendor lock-in", as in the keys stored in one two-factor authenticator app may not be transferable to another app. While this could be done by design to make it difficult to extract the codes from a device, tying something that valuable in an app that could charge a subscription and increase its pricing at any time is quite a risk. While Authy is still free, it is still closed-source and some of us don't want to trust its business model. So, some code was developed to extract Authy keys from its desktop app. I used this to copy my ToTP keys to another password manager for safekeeping.

Published on May 18, 2020 at 18:32 EDT

Older post: The App Subscription Model

Newer post: The Borderlands