Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Treat every phone as a burner.



Pretty difficult with 2FA


It seems there is an intentional effort to drive your digital identity and financial identity/history to your mobile device.

This makes social control much less complicated


I use a cloud based TOTP(bitwarden) for exactly this reason. I don't store credentials there.

Sure, I've made my attack surface larger, but for me beats having to call, email, or be screwed when I lose access to my phone.


2FA should be TOTP not SMS


95% of my 2FA accounts are TOTP. My issue is that not all providers give me printable backup codes - some just say "get two devices!" and that's just not reasonable for a variety of reasons.


To get around this I usually just store the secret (from the QR code) in a secure place (encrypted database with yubikey).

This always allows me to recreate the TOTP entry.


My work-based 2FA is tied to my phone and is non-transferrable. If I lost my main phone without switching the 2FA install while logged in, I'd have to go through a recovery process.

Culprits: RSA Authenticate and Okta Verify.

My personal accounts that have 2FA are all backed up with Authy.


>My work-based 2FA is tied to my phone and is non-transferrable.

If that's the case with your workplace, do they issue you a phone to use for work-related stuff.

If not, why not?

Your personal device shouldn't be required to do work-related stuff, IMHO.

I'd add that since there's work-related stuff on your phone, your employer can restrict what you do/don't do with that phone and subject your personal device to its corporate policies via Mobile Device Management (MDM)[0] systems.

Even more, if you ensure that work-related stuff isn't on your personal device, issues with either device won't impact the other one.

I realize that it's out of fashion these days to keep one's work and personal lives separate. But IME, doing so is generally a good idea.

[0] https://en.wikipedia.org/wiki/Mobile_device_management


I don't have MDM on my phone (no alt-roots or anything). "Just" the 2FA, gmail and Slack. But I agree, I'm tempted to get the work stuff off and onto an old phone just to have the mental separation.


>I don't have MDM on my phone (no alt-roots or anything). "Just" the 2FA, gmail and Slack. But I agree, I'm tempted to get the work stuff off and onto an old phone just to have the mental separation.

Gotcha. I encourage you to do so. I'd further encourage you (if this isn't the case already) to have your employer pay all costs associated with that other device. As it's their requirements that put you in this situation.


Why?

You'd never register a token with an actually secure 2FA schema (account inaccessible if token inaccessible) with just one device.

Back up your 2FA/MFA.


I print backup codes where available, but some providers don't offer it and instead instruct me to have two devices. Do you maintain 2+ devices with your 2FA codes? Do you carry both devices everywhere? Or just when you need to add a new 2FA code to Authenticator?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: