If someone has hacked your shitty corporate cloud account and got your keys in the process, you can be sure they've probably already used your credentials to change your phone number to another sim or simply access your emails
No, you cannot login anywhere with only the 2FA code. They also need your password to login. So the hacker will need to hack my e-mail and authy.
Hang on, real world scenario here based on the "average" user that only bothers with
crap "convenient" security.
- Either the user uses the same password for everything and never changes it, they were pwned years ago and don't even realise it.
- The user is smarter and uses a different password for each login, but obviously can't remember them all, so they are backed up in a cloud. .
The first user is a small snack for hackers and phishers, the second user is smarter but their 2fa is still backed up in "the cloud", and therefore likely so are their unique passwords.
Consider the second user when their cloud gets hacked a full course meal compared to snacking on dumb users that haven't changed a password once in their life.
You don't own your phone number or email address, but you can own private keys. End rant.
Backing up the private key for dozens of different services is a pain in the ass. If you back it up in a computer, or in a cloud service, it is the same to use authy. If you print everything... man, thats just crazy imo.
Security must be convenient. Excess security will lead to low security in long term, imo.
Each to their own, I respect your opinion but in mine if security is convenient it's because it's probably crap.
It's also overlooking the convenience of merely backing up your 2fa keyring, not necessarily each individual key one by one. It's far from a pain in the ass imo.
This mentality for me is part of the "yale lock theory". A small analogy to follow here.
Nightlatches are so convenient as locks: you don't have to turn a key to close them, they even close on their own. They are cheap, affordable, everyone knows how to use them and people rarely have a problem with them. The reality is you can pick these locks in minutes, that's why it's suggested to have a mortis or euro barrel-based lock. The latter aren't as convenient, they take more time to use, require more maintenance, but they are much more likely to secure your property. Ever noticed how locksmiths can pick your yale lock within minutes and without any brute force? This is what 2fa cloud backups remind me of, relying on a third party to secure your property for you, while they retain access for others.
Ever wondered why banks use vaults and time-consuming multi-login procedures, why cold storage exists etc? For me it's the same principles that apply here. But again this is just me who likes to secure my personal data with banking level security
[edit: as in keybanks], as I do with cryptoassets. I don't feel the values are so different to me at least.
Security has nothing to with centralization imo. Google 2FA is secure. It is so secure that even you may be unable to login in your account forever if you lose your phone and you didn't back up the key.
Yes this is the sort of security I like. If you don't have the key, you don't have access to my data. Period.
