I've locked myself out of my digital life


Imagine…

Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes.

In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle.

This presents something of a problem.

In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can remember the password to that. But logging in to the manager also requires a 2FA code. Which is generated by my phone.

The phone which now looks like this:

A melted phone. Credit: Reddit user Crushader.

Oh.

Backups

I'm relatively smart and sensible. I regularly exported my TOTP secrets and saved them in an encrypted file on my cloud storage - ready to be loaded onto a new phone.

But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in - you guessed it - my Password Manager.

I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

Perhaps I can use my MFA FIDO2 Key?

A melted security key. Photo taken from  A Side Journey To Titan: Revealing and Breaking NXP's P5x ECDSA Implementation on the Way.

Oh.

Emergency Contacts

Various services allow a user to designate an "emergency contact". Someone who can access your account in extremis. Who do you trust enough with the keys to your digital life?

I chose my wife.

The wife who lives with me in the same house. And, obviously, has just lost all her worldly possessions in a freak lightning strike.

Photo of a house engulfed in flames. Photo taken by Wikimedia user LukeBam06.

Oh.

Recovery Codes

Most online services which have Multi-Factor Authentication, also provide "recovery codes". They are, in effect, one-time override passwords. A group of random characters which will bypass any security. Each can only be used once, and then is immediately revoked.

I was clever. I hand-wrote the codes on a piece of paper (so they can't be recovered from my printer's memory!) and stored them in a fire-proof safe, secured with a key hidden under the cat's litter-box.

Sadly, the fire-proof safe wasn't lightning-strike safe and is now obliterated. Along with the cat's litter-box. The cat is fine.

I know… I know… I should have kept them in a lock-box in my local bank. The only problem is, virtually no banks offer safe deposit boxes in the UK. The one that does charges £240 per year. A small price to pay, for some, to avoid irreversible loss. But it adds up to a significant ongoing cost.

But, suppose I had stored everything off-site. All I'd need to do is walk up to the bank and show some ID which proved that I was the authorised user of that box.

The ID which has just been sacrificed in tribute to mighty Thor and now looks like a melted waxwork.

An AI generated image of a melted driver's licence.

Oh.

Friendly Neighbourhood Storage

Perhaps what I should have done is stored all my backup codes and recovery keys on a USB stick and then given them to a friend?

There are a few problems with that.

  1. Every time I sign up to a new service, I would need to add it to the USB stick. How many times can I pop round with a fresh stick before it becomes an imposition?
  2. What if my friend (or their kid) accidentally wipes the drive?
  3. If a freak lightning storms hits both our houses at the same time, I still lose everything.
  4. Even if I did all that, I would have to give the USB stick a strong password to make sure my friend didn't betray me. So I either need to remember that, or I'm stuck in the password-manager-paradox.

Perhaps I could split the USB sticks between multiple friends using Shamir's Secret Sharing? That solves some problems - mostly the accidental losses and remembering a strong password - but creates even more issues. Now I have to do a lot more admin and worry about all my friends conspiring against me!

Phone Home

One of the weakest forms of identity is the humble phone number. Several of my accounts use my mobile number to text me authorisation codes. SMS isn't the most secure way to deliver passwords - it can be intercepted or the SIM can swapped to one controlled by an attacker. But, if I can get my phone number back, I stand a chance of getting in to my email and perhaps some other services.

That's a weakness in my security posture. But one I may need to take advantage of.

The only question is - how do I prove to the staff at my local phone shop that I am the rightful owner of a SIM card which is now little more than soot? Perhaps I can just rock up and say "Don't you know who I am?!?!"

I know, I'll show them my passport!

Burning EU passport 20180318

Oh.

Bootstrapping of trust

I am lucky. I have a nice middle-class life and know lots of professionals - doctors, lawyers, teachers - who I hope would be happy to vouch for me. I could use one of my friends to confirm my identity for a replacement passport. Once I have a passport, I should be able to get a SIM card with my phone number. And, I hope, some online services.

I would, however, need to use a credit or debit card to apply for a replacement passport. But all of my cards are melted to slag - and I can't prove to the bank that I am who I say I am because I don't know my account number, password, or mother's maiden name.

You see, I was "clever" and took some idiot's advice about setting your mother's maiden name to being a random string of characters. Those details are, of course, stored in my inaccessible password manager!

Hopefully one of my friends will be prepared to lend me the £75.50 to get a new passport.

I'll just call up one of my friends. Hmmm… now, where did I store their phone number?

A melted phone. Credit: Reddit user Crushader.

Oh.

Starting over

Again, I'm lucky. I live relatively close to some friends and family. And I'm confident that they'd be gracious enough to pay an emergency cab fare if I started hammering on their door at silly o'clock in the morning.

With their help, I think I could probably call up enough insurance companies to figure out which one covered the property. I would hope the insurance company would have some way of validating with the emergency services that the house is, indeed, a smoking crater. I don't know if that would get me emergency cash, or if I'd have to rely on friends until I get access to my bank account.

I assume my credit card companies can probably be convinced to send out replacement cards. But will they also be willing to change my address - or will the card go to the pile of ashes which was formerly my home?

I don't know whether my insurance policy covers me for access to digital files. Even if it did, I'm not sure how they can force a company like - say - Google to give me access to my account. It isn't like Google went through a KYC (Know Your Customer) process when I signed up.

Code Is Law

This is where we reach the limits of the "Code Is Law" movement.

In the boring analogue world - I am pretty sure that I'd be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible.

But when things are secured by an unassailable algorithm - I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn't have access to my passwords. There is no-one to convince. Code is law.

Of course, if I can wangle my way past security, an evil-doer could also do so.

So which is the bigger risk:

  • An impersonator who convinces a service provider that they are me?
  • A malicious insider who works for a service provider?
  • Me permanently losing access to all of my identifiers?

I don't know the answer to that. If you have a strong opinion, please let me know in the comment section.

In the meantime, please rest assured that my home is still standing. But, if you can, please donate generously to the DEC's Ukraine Humanitarian Appeal


98 thoughts on “I've locked myself out of my digital life

    1. says:

      THIS...is EXACTLY why I hate 2FA. Here's one solution. Have 1 email just for your password w/o 2FA or with the easiest PW. Don't use it for anything. Don't surf with it. Don't give it to anyone else. Every new password send an email to that email. Now here's the trick. Use one passphrase a pin # and change it / secure it based on the website. So if your passphrase if I am a bad muthafacker. Then your Gmail could be G1234IAmABadMuthafacker. Your bank UKBank,Inc could be U1234IAmABadMuthfacker$ ($ i.e money) Your bank Visa card could be: V1234IAmABadMuthafacker$

      Now you know your passphrase. So to save this password on that email account or anywhere accessible via public library you simply remind yourself like this: X xx X Xxx Xxxxxx Xxxxxx (Cap each word, no spaces)
      Then write: Gmail: Variable/Pin/Passphrase. There. You just reminded yourself. But no one else knows unless you TELL them.

      For bank account, put: UKBank: Variable/Pin/Passphrase/$

      Visa: Variable/Pin/Passphrase/$
      It's easy. Your pin should always be the same. Your variable, decide if it's the first, 2nd or last of the website's name and keep it that way. I've used 1st letter as an example.

      1. @edent says:

        To be clear to other readers - this is terrible advice.

        If a website has special requirements (e.g. no special characters, max of 12 characters, etc) then the scheme doesn't work.

        If a website asks you to change your password (and you can't reuse an old one) then the scheme doesn't work.

        If a website leaks your password (or if several do) then your scheme is easy to defeat.

        If your emails aren't encrypted in transit, your passwords are exposed.

        If your email is hacked - either by an insider or someone social engineering your email provider - then your passwords are exposed.

        In short - please don't use these scheme.

      2. Sean Lu says:

        I use a similar idea but without such a rigorous mnemonic scheme. I just use Anki (and don't have the answers on the cards since they're synced online). But I still forget my passwords pretty regularly, and my passwords could probably be made harder to guess.

  1. @Edent This is horrifying. I'm glad you guys are okay.Thanks for sharing, I'm going to look over my own security and password storage solutions. I'm pretty sure I'm in the risk of exactly the same happening to me.

  2. says:

    I honestly had to sit there thinking “has Terence’s house actually been struck by lightning and burned down? Announcing that purely via an educational blog post would be a very Terence thing to do…” before I got to the bottom of the post


  3. says:

    Reminder to test your disaster recovery plan. I can regain access to my digital life from things I’ve memorized and my yubikey, or failing that, a recovery packet I keep at my parents’ house in another state. That same packet gets them in if I die.

    shkspr.mobi/blog/2022/06/i…

    1. digital prepper says:

      Same. I have a tool to help me memorize key passwords that don’t get daily use (i.e. everything that isn’t my master password), like those for my email, Apple account, etc. If everything burns down, I get the corresponding 2FA backup codes from my parents’ and use the memorized passwords to retrieve my vault. The only cost, aside from (very) occasional snail mail to my parents asking them to just put this piece of paper in their safe, is that I have to memorize 6 passwords instead of 1. And my parents’ phone number.

  4. Ian Betteridge says:

    The "leave something with friends/neighbours" option is interesting. That is, after all, what we already do: we have a set of keys for one of our neighbours' houses so we can pop in and walk their dog when required, and they still have a set of ours from when they used to pop in and feed our cat (RIP).

    They could, of course, come round and ferret through our drawers - but we would be able to work out they had pretty easily, even without the presence of a security camera. So: should our approach to digital security be the same? A trusted third party who could use your passwords, but if they did you would get notified?

    1. @edent says:

      It's a tough one. Having liven in half-a-dozen locations since University - I don't think I've ever given a neighbour a set of keys. And, frankly, I'd probably refuse if they tried to foist them on me! That might be my antisocialness - or my paranoia. I'm not sure which.

      I have a lot of sympathy for the code-is-law crew. I shouldn't have to put my trust in anyone. But I also like the idea of a "canary" which fires if a trusted 3rd party attempts access.

  5. @Edent I was very concerned until the last para! My off-site plan for everything else going FUBAR is reasonably solid, but it all goes to hell if the account that automatically pays its bills runs out of money.

  6. says:

    A similar thing that haunts me the most is losing my memory. I use 1Password but what if I forget my pass phrase to get in? What if my iPhone doesn’t want to accept faceid and demands my now forgotten passcode? Yubikey is nice but is only a 2nd factor, not 1st

    The worry is real!


    1. Nicolas says:

      You can never rely on FaceID, you just reboot the phone or someone else looks at the camera too many times and it becomes useless until you enter your passcode.

    2. says:

      After forgetting my 1Password password for an agonising day before it came back to me, I finally took their advice and printed out their recovery kit and wrote it there, and tucked it somewhere safe. So that takes care of the ‘forgetting’ problem, unless, of course, that safe place is struck by lightning at the same time as I forget the password.

  7. Alex B says:

    I settled on a plain text file of credentials, split using Shamir's Secret Sharing and requiring at least 2 people to collaborate to reconstruct, with pieces shared on USB keys with my partner, my parent, and on various bits of storage I'm likely to have with me. I never actually got round to doing it, though...

    In the meantime, I'm relying upon grabbing my mobile phone or tablet, and wallet as I evacuate.

  8. says:

    Shh! Don’t say the quiet part out loud! We’re all incredibly vulnerable to this.

    I have offsite backups of my most important data. However, I probably wouldn’t be able to recover it without either my phone, laptop, desktop computer, or home server. I need one of them. These devices holds all my secrets under crypt and key.

    For most people, this is an unrecoverable situation. The more stuff you have — whether that be online accounts or devices — the harder it is to do disaster recovery. My “emergency plan” is to always carry my phone with me. It’s my digital life and it holds a on-person backup of my most crucial stuff.

  9. shkspr.mobi/blog/2022/06/i…

    Как-то опрашивал народ в твиттере, записывают ли они мастер-пароль от менеджера паролей на случай внезапных бед с памятью, но реальность, как всегда, бывает увлекательней.

  10. I often think when I see an attack on some "badly done" security procedure like giving your birthdate to "authenticate" as a person: "Well, it's bad. But it's a good middle-ground between security and usability. And the few abuses are covered by insurance. So, all in all, it's not too bad."

    Which your story seems to underline.

    But of course the best way would be to have a t-out-of-n threshold decryption with your friends devices. Not?

  11. Richard says:

    So your problem is you can't access your online password manager without a MFA code to your phone? Is that basically it? If so, you just need an offline password manager like https://keepass.info/ and then upload the password database to cloud storage to keep it safe and accessible. Problem solved?

    1. Richard says:

      Ah, you already said you need MFA to log into your cloud account, my bad, didn't see that the first time around. Is that an actual requirement though? I don't believe I have MFA on my MS OneDrive...

  12. Mikael says:

    Interesting, indeed.

    As I live in an area well known for having produced some nasty earthquakes, I'd foresee that if my house were reduced to rubbles it'd be together with most of the neighbors' houses. And the rubbles might very well get very well charred once the local natural gas lines burst.

    So... Hm.

    I have set up my wife as an emergency contact for my password manager, which wouldn't help in this scenario, but I'm thinking that I should set up a second emergency contact in the form of family members who live outside the area. It would still make the process of getting into stuff takes very long time, but eventually I should be able to get in that way.
    If I can survive without email for that long, of course.

  13. Reminds me of the time my phone was stolen. So I needed to buy a new one so I needed to move money around in my bank to be able to buy one. But I needed the same phone to login to the bank. So many increasing dependencies in our lives like this and not enough talking about it


  14. says:

    @Edent Really wish there were more affordable alternatives to off site storage.I am in similar danger but I don't have any trusted party near me to keep a USB stick with all my keys.Currently i keep an encrypted USB hidden in my car so at least if the apartment goes up in flames I'd have that...

  15. Matthijs says:

    Interesting story, hope all will be fine soon again.
    For the safe storage, what I did was to dig a casing pipe into the ground between our house and our neighbours. We have 2 utp cables in this, one for them and one for us. Now we have a NAS in their house and vice versa. We both cannot access each other’s NAS, we don’t know the passwords.
    Now it was quite some digging, but as a result we have a (we think) safe backup of everything. Chances of both houses burning or flooding or whatever are slim.

    1. Aaron Axvig says:

      Consider lightning, as mentioned in this very blog post. If it strikes one of the houses, it could easily traverse the UTP cable and fry the other NAS. And lightning could presumably strike both houses, or the utility feed that supplies both houses.

    1. japanese.sweden.clue says:

      You can keep a backup of your Secret Key without your email address or password included in your recovery kit. Hardcopy or digital copy (cloud storage, etc) The Secret Key is fairly useless without those additional details. Many folks have multiple backups that way, so even if someone were to access your Secret Key, it wouldn't do much for them. If you have 2FA enabled on your 1Password account, that would provide an additional layer of protection as well.

  16. Aaron Axvig says:

    Consider the case of cash currency, which one may think of as "paper is law". There are many ways in which a $20 bill can be lost forever, with absolutely no . Still people find cash useful, and even preferred, for some things. And obviously unsuitable for many things.

    Similarly, code as law is useful for some things and not for others.

  17. I think about this nightmare scenario quite a bit: it's not even your digital life any more, it's your LIFE

    I have enough stuff in a cloud account with a password I know that I could reboot from scratch... but I'd have to talk customer support into disabling 2FA for me to do it!

    1. Bob Ligma says:

      And that's the whole point of the conundrum. If you can talk someone into disabling 2FA then someone posing as you could theoretically for so as well.

  18. says:

    Excellent points all round, and it illustrates the weakness in ignoring "availability" to users in your threat modelling...

  19. says:

    Watch “safe house” with Patrick Stewart if you want to really feel the horror of that abyss opening up under your feet



  20. says:

    It’s great to say “enable 2FA, it’s more secure”. (And you should, I’m not saying you shouldn’t.) But the mechanics of password reset are extremely important and nuanced and their failure modes (as seen here) are horrifying. We need to be taking them more seriously.

  21. says:

    This is something I think about on a moderately frequent basis, and I have still not come to a satisfying conclusion.

  22. Whatever the specifics, I wouldn't assume that a "fireproof" box in your house is 100% protective depending upon the fire specifics. Having seen the aftermath of a lighting-induced fire, it probably is. But I wouldn't count on it.



  23. says:

    I locked myself out of a 15-year-old email, thus locking myself out of numerous services. There isn't really a good solution to off-site storage, not in a secure way anyway. I don't live in an apartment, so I keep everything at the other end of the garden locked away. It's interesting to see how all the services layer upon each other, if you lose access to x, you'll lose access to y. I print my backup codes and lock them away.

  24. japanese.sweden.clue says:

    I used to work for 1Password. If you're with 1Password, contact the support team. They'll be able to authenticate you and disable 2FA on your account. You'll still need your Secret Key & Password to access your data though. If you're missing your Secret Key, you won't be able to reaccess unless your wife knows hers. Then she could login and perform a recovery on your account.

  25. says:

    Password managers are a huge SPoF that many people don't realize is there. Sure it's better than having only a couple different passwords, but once you're in, you have everything, including documentation on what accounts exist, what username to use, etc.
    And it is opened often.



  26. Michael says:

    Since before password managers, I have always stored my important info in a password protected spreadsheet and email it encrypted using Proton Mail to my sister to store on her laptop and she doesn't know the password.

  27. Natural D. Zaster says:

    There's something to be said for 'bury it in the backyard in a sealed container'.

    'It' being a print and digital version as an A/B test. 🙂

    Also, degrowth and permacomputing comes to mind here.

  28. Hey, in the UK, is a sim swap attack really that easy?

    https://nordvpn.com/blog/sim-swap-attack/

    It sounds like the fault of the provider more than anything else, which should / would be easy to make sure there is a firm process in place to stop this from happening (surely it is madness to have this service at the end of a phone call with no clear steps in place to keep things secure?)

    https://ee.co.uk/help/help-new/managing-and-using-my-account/leaving-ee/what-is-a-pac-code

    text PAC to 65075
    log in to My EE and go to Menu > Account settings > Leave EE

    So your phone needs to be secure, and you provider account needs to be secure.

    Seems simple enough, they you can rely on phone number as your gateway back in, store everything in cloud provider, and get back up to speed?

    Perhaps I am missing something, I am not militant about security...

  29. Nico says:

    Interesting read! I think I had something like this in mind when I switched to authy as my 2fa provider. The idea of losing my access when losing a device somehow scared me. Also it didn't seem possible to transfer the Google authenticator to a new device at this time. I don't know if this is still the case.

  30. Pawel says:

    Google has a dead man switch of sorts - after set time of inactivity it can be setup to transfer all rights to someone else via email. Its not perfect because you would need to camp out for half a year of course. I wonder if other services let you do that?

    As for key distribution among friends - there has to be some smart solution relying on the fact that your home server isn't there. App hosted on amazon that will call your home lab, perhaps your number? Even a freaking buzzer in your house! And only after it fails all that it would release some control, perhaps one extra human remambabre password away from full access? I believe UKs nuclear deterant submarines have checklists to ensure UK is well and trully gone before firing any nuclear missles. I don't know how much is available on the subject, but surely this must be a common problem, when you broeden it's scope.

  31. says:

    "I've locked myself out of my digital life":
    shkspr.mobi/blog/2022/06/i…

    Okay, this is also something I fear regarding 2FA. I had a similar lockout thing when I switched my phone number back in Nepal (my old phone stopped working, and I decided to get a new number...)

  32. ReaderThe says:

    Paragraph "Friendly Neighbourhood Storage" is quite unrealistic for me and isn't helpful to make a plan for that accident.

    USB stick can have only the most important passwords to most important services. When you have access to those more important services you can recover a most recent password manager file backup from multitude of cloud services etc.
    Hide it. It isn't meant to be used until an emergency.
    Changes are close to zero.
    Yeah, you need to remember master password. How do you logged into password manager up to that day without it?

    Aside from that TOTP secrets are only second factor - they won't let you log in alone without password. It should be thought as a proof of physical access to something. You can also store it unencrypted, when it is stored on your property. Cloud provider? Encrypt it, because it is being stored on someone's else servers. Yours flash driver in your house? It can lay unencrypted. A piece of paper amongst documents in yours parents house? It also probably can be stored in unencrypted form here too.

  33. Dave Ings says:

    Great post - made me think - thanks.

    I use 1Password, which has built in 2FA support. My simplest mitigation seems to be to store offsite a hardcopy of 1PW’s “emergency kit”. This would get me back into my 1PW account if I lost all else. So that’s what I plan to do.

    YMMV of course.

  34. Malcolm X says:

    A few years ago i imagined worst case scnario (I must admit you have a better imagination than me ) and i found a solution for that : what i do is store all 2fa totp codes in an encrypted keepass vault and remember that password instead of keeping it in password manager

    since it is encrypted it doesnt matter where i upload it but ofc for max security and privacy , e2e cloud services like filen/mega are a better option ( better to upload them to at least 2 just in case)

    then take the link of that file and use link shortner (use at least 2 again just in case) , and have something like bit.ly/2fa which u can access anywhere

    whenever i have a new 2fa entry i just upload the new vault in same directory as before , with file versioning , i have all previous vaults in same place with same link

    1. @edent says:

      There are two main problems with this approach.

      The first is that you won't remember the password. History has shown us that unless people regularly use a password, they'll forget it. If you do choose an easy to remember password - the chances are that it will be easy to guess.

      The second problem is that you're relying on a weak second factor - that the file is "hard" to find. If you have created a bitly link, the chances are that a search engine has already picked up the file.

      1. Malcolm X says:

        regarding your first concern : I usually add more sites to the vault so i constantly use that password so that isn't an issue , you can always use a slightly similar password to the one for password manager

        As for your second concern : you can use a more privacy friendly link shortner or self host one . And even if they pick it up , if you use a password with good entropy for the vault , it will be impossible to decrypt it

  35. Sam says:

    Well, you could simply create another account in your password manager (like Bitwarden) and store all your 2FA recovery codes and of course, ensure this account does not have 2FA enabled. In this account, just have the recovery codes with hints /clues that only you can understand to what service it is meant for (without using usernames). This way, in the unlikely event of account compromise (with your leaked password), it's only a bunch of strings.

    You then need to remember only two master passwords (one for password manager with 2FA and another with a password manager without 2FA).

    I follow the above, while also having Authy to synchronize on my wife's father's phone (besides her phone of course) and another desktop at their place.

    1. Nico says:

      May I ask why you sync Authy to many devices? I assume you don't use their server side backup then? If so, why not? Or is this just an additional layer?

  36. This actually happened to me last year (flat burned down completely, nothing recoverable) but I was lucky that I picked up my phone which gave me instant access to my Cloud storage / 2FA etc to be able to still access all of my digital data. If the phone had been left behind that would have been a different story.

    I also lost my NAS, which was mostly a local backup of my cloud data but I did (foolishly) have some data only on there so that has now gone forever.

    1. One of the reasons I am happy to be a US citizen and a citizen of another country.

      I have a safe deposit box at two different banks. (yes, they are geographically separated) FYI safe deposit boxes can be relatively inexpensive in the US or free depending on your relationship with the bank (Assets Under Management or breadth of products)
      I have copies of many of the items listed in those boxes. (A 'relatively recent' backup hard drive, keys to multiple items, legal documents including a proxy where my mother can access the safe deposit box, photocopies of driver's license, the passports, Social Security card, etc)
      Bank accounts with basic emergency funds in two countries.
      Cloud backups of many of the items listed above, as well as additional items as safeguards.

      While not a perfect DRP, it is sufficient and not costly.

  37. Brenden Walker says:

    Local backups mirror my NAS data daily (2 NAS boxes with 15TB each). When we leave for any extended period of time the local backup HD's are stored in a 4 hour rated fire safe.

    Everything is encrypted locally prior to storage on Azure, $50 credit I get with MSDN sub covers that (employer pays MSDN sub). This is the only cloud storage I leverage, weekly backups for most data.

    Password database is synced to 2 USB sticks along with the software necessary (KeePass portable), one is in my pocket at all times and the other is...elsewhere. I update the password DB every month or so, and immediately if I'm cycling/setting up a login for something critical (bank, insurance, etc). Years ago I memorized a complex passphrase that is only used for this one purpose. Password DB is not cloud hosted so if anyone gets access to it for brute forcing they've managed to bypass a lot of security to get there.. and will need to brute force a very complex passphrase. I accept the residual risk on this.

    I don't use my phone for anything sensitive, if it were lost or stolen my main concern would be getting a new phone. For critical 2FA I prefer hardware tokens.

    I have done disaster recovery exercises including full restoration of systems as well as specific data recovery. This works for me, and keeps my wife happy (artists make a lot of data!) YMMV.

  38. Bob Ligma says:

    Easy solution: just have a hot site set up in another state, ready for you to walk in and start using right away.

  39. fourzerosix says:

    should have a small bunker below the house for important storage and water/fire-proof safe

  40. […] pointed me to a blog post by Terence Eden, which contains a bit of a thought experiment on what happens if you have a catastrophic accident (say, a house fire) and lose access to all your […]

  41. Matt says:

    I think the obvious failure here in your hypothetical is that you did not have an off-site backup. Superficially it looks like you do, cause everything is in the cloud. However it's not an off-site backup unless your encryption keys are also backed up off-site, along with the credentials to access it all (and yes your second factor is a credential). In this hypothetical, all your second factors (security keys, phone, paper with recovery codes) were stored on-site, which is why everything failed.

    You mention storing a USB stick with a friend, but then only consider the unworkable solution of storing a frequently changing target (backup codes for all your services). All you really need to store is the credentials and keys to restore from your off-site backup, and possibly for your email account. That is probably just the recovery codes (and passwords if not memorized) for your cloud site(s) and your email account, and maybe a spare security key that's authorized for those accounts if that's in your budget. Those shouldn't need to be updated very often. Encrypt those with the same passphrase you use for your password manager (which you presumably have memorized). You can reduce the risk of your friend or their kid misplacing/wiping it with an envelope and marker (pretty cheap). As for the concurrent loss of both sites, do you only have one friend? Do they all live in the same city?

    Other solutions include using another cloud backup site which you only put your encrypted password store in, and then don't turn on 2FA for that one (it's only protecting an encrypted file). I've even seen the suggestion somewhere to store your encrypted password file in the public part of your cloud account, but that effectively turns off 2FA for your password management.

Leave a Reply

Your email address will not be published.

%d bloggers like this: