I've locked myself out of my digital life
Imagine…
Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes.
In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle.
This presents something of a problem.
In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can remember the password to that. But logging in to the manager also requires a 2FA code. Which is generated by my phone.
The phone which now looks like this:
Oh.
Backups
I'm relatively smart and sensible. I regularly exported my TOTP secrets and saved them in an encrypted file on my cloud storage - ready to be loaded onto a new phone.
But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in - you guessed it - my Password Manager.
I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.
Perhaps I can use my MFA FIDO2 Key?
Oh.
Emergency Contacts
Various services allow a user to designate an "emergency contact". Someone who can access your account in extremis. Who do you trust enough with the keys to your digital life?
I chose my wife.
The wife who lives with me in the same house. And, obviously, has just lost all her worldly possessions in a freak lightning strike.
Oh.
Recovery Codes
Most online services which have Multi-Factor Authentication, also provide "recovery codes". They are, in effect, one-time override passwords. A group of random characters which will bypass any security. Each can only be used once, and then is immediately revoked.
I was clever. I hand-wrote the codes on a piece of paper (so they can't be recovered from my printer's memory!) and stored them in a fire-proof safe, secured with a key hidden under the cat's litter-box.
Sadly, the fire-proof safe wasn't lightning-strike safe and is now obliterated. Along with the cat's litter-box. The cat is fine.
I know… I know… I should have kept them in a lock-box in my local bank. The only problem is, virtually no banks offer safe deposit boxes in the UK. The one that does charges £240 per year. A small price to pay, for some, to avoid irreversible loss. But it adds up to a significant ongoing cost.
But, suppose I had stored everything off-site. All I'd need to do is walk up to the bank and show some ID which proved that I was the authorised user of that box.
The ID which has just been sacrificed in tribute to mighty Thor and now looks like a melted waxwork.
Oh.
Friendly Neighbourhood Storage
Perhaps what I should have done is stored all my backup codes and recovery keys on a USB stick and then given them to a friend?
There are a few problems with that.
- Every time I sign up to a new service, I would need to add it to the USB stick. How many times can I pop round with a fresh stick before it becomes an imposition?
- What if my friend (or their kid) accidentally wipes the drive?
- If a freak lightning storms hits both our houses at the same time, I still lose everything.
- Even if I did all that, I would have to give the USB stick a strong password to make sure my friend didn't betray me. So I either need to remember that, or I'm stuck in the password-manager-paradox.
Perhaps I could split the USB sticks between multiple friends using Shamir's Secret Sharing? That solves some problems - mostly the accidental losses and remembering a strong password - but creates even more issues. Now I have to do a lot more admin and worry about all my friends conspiring against me!
Phone Home
One of the weakest forms of identity is the humble phone number. Several of my accounts use my mobile number to text me authorisation codes. SMS isn't the most secure way to deliver passwords - it can be intercepted or the SIM can swapped to one controlled by an attacker. But, if I can get my phone number back, I stand a chance of getting in to my email and perhaps some other services.
That's a weakness in my security posture. But one I may need to take advantage of.
The only question is - how do I prove to the staff at my local phone shop that I am the rightful owner of a SIM card which is now little more than soot? Perhaps I can just rock up and say "Don't you know who I am?!?!"
I know, I'll show them my passport!
Oh.
Bootstrapping of trust
I am lucky. I have a nice middle-class life and know lots of professionals - doctors, lawyers, teachers - who I hope would be happy to vouch for me. I could use one of my friends to confirm my identity for a replacement passport. Once I have a passport, I should be able to get a SIM card with my phone number. And, I hope, some online services.
I would, however, need to use a credit or debit card to apply for a replacement passport. But all of my cards are melted to slag - and I can't prove to the bank that I am who I say I am because I don't know my account number, password, or mother's maiden name.
You see, I was "clever" and took some idiot's advice about setting your mother's maiden name to being a random string of characters. Those details are, of course, stored in my inaccessible password manager!
Hopefully one of my friends will be prepared to lend me the £75.50 to get a new passport.
I'll just call up one of my friends. Hmmm… now, where did I store their phone number?
Oh.
Starting over
Again, I'm lucky. I live relatively close to some friends and family. And I'm confident that they'd be gracious enough to pay an emergency cab fare if I started hammering on their door at silly o'clock in the morning.
With their help, I think I could probably call up enough insurance companies to figure out which one covered the property. I would hope the insurance company would have some way of validating with the emergency services that the house is, indeed, a smoking crater. I don't know if that would get me emergency cash, or if I'd have to rely on friends until I get access to my bank account.
I assume my credit card companies can probably be convinced to send out replacement cards. But will they also be willing to change my address - or will the card go to the pile of ashes which was formerly my home?
I don't know whether my insurance policy covers me for access to digital files. Even if it did, I'm not sure how they can force a company like - say - Google to give me access to my account. It isn't like Google went through a KYC (Know Your Customer) process when I signed up.
Code Is Law
This is where we reach the limits of the "Code Is Law" movement.
In the boring analogue world - I am pretty sure that I'd be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible.
But when things are secured by an unassailable algorithm - I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn't have access to my passwords. There is no-one to convince. Code is law.
Of course, if I can wangle my way past security, an evil-doer could also do so.
So which is the bigger risk:
- An impersonator who convinces a service provider that they are me?
- A malicious insider who works for a service provider?
- Me permanently losing access to all of my identifiers?
I don't know the answer to that. If you have a strong opinion, please let me know in the comment section.
In the meantime, please rest assured that my home is still standing. But, if you can, please donate generously to the DEC's Ukraine Humanitarian Appeal
Frank Meeuwsen said on diggingthedigital.com:
I’ve locked myself out of my digital life door @edent (shkspr.mobi)
OK. Nu ik dit heb gelezen moet ik toch eens serieus nadenken over de opties. Bliksem kan inslaan. Brand. Ik kan een beroerte krijgen en het hoofdwachtwoord van mijn password manager vergeten. Zoveel losse eindjes in dat digitale leven die, als een kort lontje, elkaar aansteken en zo snel als een exponentiële grafiek door je leven branden.
Valda says:
THIS...is EXACTLY why I hate 2FA. Here's one solution. Have 1 email just for your password w/o 2FA or with the easiest PW. Don't use it for anything. Don't surf with it. Don't give it to anyone else. Every new password send an email to that email. Now here's the trick. Use one passphrase a pin # and change it / secure it based on the website. So if your passphrase if I am a bad muthafacker. Then your Gmail could be G1234IAmABadMuthafacker. Your bank UKBank,Inc could be U1234IAmABadMuthfacker$ ($ i.e money) Your bank Visa card could be: V1234IAmABadMuthafacker$
Now you know your passphrase. So to save this password on that email account or anywhere accessible via public library you simply remind yourself like this: X xx X Xxx Xxxxxx Xxxxxx (Cap each word, no spaces) Then write: Gmail: Variable/Pin/Passphrase. There. You just reminded yourself. But no one else knows unless you TELL them.
For bank account, put: UKBank: Variable/Pin/Passphrase/$
Visa: Variable/Pin/Passphrase/$ It's easy. Your pin should always be the same. Your variable, decide if it's the first, 2nd or last of the website's name and keep it that way. I've used 1st letter as an example.
@edent says:
To be clear to other readers - this is terrible advice.
If a website has special requirements (e.g. no special characters, max of 12 characters, etc) then the scheme doesn't work.
If a website asks you to change your password (and you can't reuse an old one) then the scheme doesn't work.
If a website leaks your password (or if several do) then your scheme is easy to defeat.
If your emails aren't encrypted in transit, your passwords are exposed.
If your email is hacked - either by an insider or someone social engineering your email provider - then your passwords are exposed.
In short - please don't use these scheme.
Sean Lu says:
I use a similar idea but without such a rigorous mnemonic scheme. I just use Anki (and don't have the answers on the cards since they're synced online). But I still forget my passwords pretty regularly, and my passwords could probably be made harder to guess.
Johannes Ernst says:
The exact reason I started building Paradux. https://github.com/paradux/paradux/
@edent says:
How does this deal with the "Murder On The Orient Express problem"?
quantic says:
On an analog matter, it reminds me the day I asked my boss: "what is the strongest way to backup things?". Short answer: engrave data on a stone...
So huge paradox of digital life: 1/ you can replicate data infinitly without any error...but each storage taken indivudually is weak...really weak 2/ you can secure access easily with cryptographic algorithms...but anyone who solves/finds a way to break it, the security of all data in the world is comprimised (the best example is RSA, which is not recommended anymore)
Thanks for your thought and anyway: if you can't protect data, don't collect it 🙂
Gustav Lindqvist 🇸🇪 said on jkpg.rocks:
@Edent This is horrifying. I'm glad you guys are okay.Thanks for sharing, I'm going to look over my own security and password storage solutions. I'm pretty sure I'm in the risk of exactly the same happening to me.
chaozz says:
Did you read the last paragraph? 😛
Kee says:
Or perhaps the first word of the article? 🤪
Joe said on twitter.com:
I honestly had to sit there thinking “has Terence’s house actually been struck by lightning and burned down? Announcing that purely via an educational blog post would be a very Terence thing to do…” before I got to the bottom of the post
Bob Ligma says:
Imagine...
Seeker said on twitter.com:
Reminder to test your disaster recovery plan. I can regain access to my digital life from things I’ve memorized and my yubikey, or failing that, a recovery packet I keep at my parents’ house in another state. That same packet gets them in if I die.
shkspr.mobi/blog/2022/06/i…
digital prepper says:
Same. I have a tool to help me memorize key passwords that don’t get daily use (i.e. everything that isn’t my master password), like those for my email, Apple account, etc. If everything burns down, I get the corresponding 2FA backup codes from my parents’ and use the memorized passwords to retrieve my vault. The only cost, aside from (very) occasional snail mail to my parents asking them to just put this piece of paper in their safe, is that I have to memorize 6 passwords instead of 1. And my parents’ phone number.
HackerNewsTop10 said on twitter.com:
I've locked myself out of my digital life Link: shkspr.mobi/blog/2022/06/i… Comments: news.ycombinator.com/item?id=316526…
Ian Betteridge says:
The "leave something with friends/neighbours" option is interesting. That is, after all, what we already do: we have a set of keys for one of our neighbours' houses so we can pop in and walk their dog when required, and they still have a set of ours from when they used to pop in and feed our cat (RIP).
They could, of course, come round and ferret through our drawers - but we would be able to work out they had pretty easily, even without the presence of a security camera. So: should our approach to digital security be the same? A trusted third party who could use your passwords, but if they did you would get notified?
@edent says:
It's a tough one. Having liven in half-a-dozen locations since University - I don't think I've ever given a neighbour a set of keys. And, frankly, I'd probably refuse if they tried to foist them on me! That might be my antisocialness - or my paranoia. I'm not sure which.
I have a lot of sympathy for the code-is-law crew. I shouldn't have to put my trust in anyone. But I also like the idea of a "canary" which fires if a trusted 3rd party attempts access.
Haunted Owlbear said on mastodon.social:
@Edent I was very concerned until the last para! My off-site plan for everything else going FUBAR is reasonably solid, but it all goes to hell if the account that automatically pays its bills runs out of money.
Dan said on twitter.com:
A similar thing that haunts me the most is losing my memory. I use 1Password but what if I forget my pass phrase to get in? What if my iPhone doesn’t want to accept faceid and demands my now forgotten passcode? Yubikey is nice but is only a 2nd factor, not 1st
The worry is real!
Fazal Majid says:
A stroke can happen to anyone.
Nicolas says:
You can never rely on FaceID, you just reboot the phone or someone else looks at the camera too many times and it becomes useless until you enter your passcode.
Alex R says:
After forgetting my 1Password password for an agonising day before it came back to me, I finally took their advice and printed out their recovery kit and wrote it there, and tucked it somewhere safe. So that takes care of the ‘forgetting’ problem, unless, of course, that safe place is struck by lightning at the same time as I forget the password.
William Porter says:
Well, you recognize one problem. But just in a general way, writing stuff down does not necessarily "take care of the 'forgetting' problem". My late mother-in-law lived to be 97. Never really suffered from dementia -- she was pretty cogent right up to her death. But her memory did decline as she got older. So somewhere in her '70s she started writing everything down. Then she started to forget where she'd put the notes. You can print out your 1Password 'emergency kit' but then you have to remember where you put it. If you put it in your desk drawer or safe at home, well, it might have been incinerated with the rest of the house (as you acknowledge). So you can put it in the bank, but see the OP above for problem of getting into bank. You can give it to your daughter to keep at HER house but then you have to remember that you did that, or she's got to remember that you gave it to her AND she has to remember where SHE put it. (My oldest daughter is a surgeon. Her memory's awesome for some things but absolute cr*p for others.)
Not saying writing stuff down is a BAD idea. Print out your emergency kit from 1Password and give it to all THREE of your daughters. And then be nice to them.
Alex B says:
I settled on a plain text file of credentials, split using Shamir's Secret Sharing and requiring at least 2 people to collaborate to reconstruct, with pieces shared on USB keys with my partner, my parent, and on various bits of storage I'm likely to have with me. I never actually got round to doing it, though...
In the meantime, I'm relying upon grabbing my mobile phone or tablet, and wallet as I evacuate.
Paul Curry said on twitter.com:
lmao I came here from HN to be like DUDE DO U NEED TO BORROW SOME STUFF ARE U OK
Dr Catherine Flick said on twitter.com:
Yet more limitations of "code is law"
Matt Secoske said on twitter.com:
We are going to hear more and more of these stories. Tech is awesome, but it has serious downsides as well.
shkspr.mobi/blog/2022/06/i…
Daniel says:
Shh! Don’t say the quiet part out loud! We’re all incredibly vulnerable to this.
I have offsite backups of my most important data. However, I probably wouldn’t be able to recover it without either my phone, laptop, desktop computer, or home server. I need one of them. These devices holds all my secrets under crypt and key.
For most people, this is an unrecoverable situation. The more stuff you have — whether that be online accounts or devices — the harder it is to do disaster recovery. My “emergency plan” is to always carry my phone with me. It’s my digital life and it holds a on-person backup of my most crucial stuff.
Ghostwire: Suurpelto said on twitter.com:
shkspr.mobi/blog/2022/06/i…
Как-то опрашивал народ в твиттере, записывают ли они мастер-пароль от менеджера паролей на случай внезапных бед с памятью, но реальность, как всегда, бывает увлекательней.
🏳️🌈 Q (it/its) 🏳️🌈 ⍼ 🔜 MCH said on twitter.com:
Clearly we need to funge proof Terrence now, just in case
Linus Gasser says:
I often think when I see an attack on some "badly done" security procedure like giving your birthdate to "authenticate" as a person: "Well, it's bad. But it's a good middle-ground between security and usability. And the few abuses are covered by insurance. So, all in all, it's not too bad."
Which your story seems to underline.
But of course the best way would be to have a t-out-of-n threshold decryption with your friends devices. Not?
Richard says:
So your problem is you can't access your online password manager without a MFA code to your phone? Is that basically it? If so, you just need an offline password manager like https://keepass.info/ and then upload the password database to cloud storage to keep it safe and accessible. Problem solved?
Richard says:
Ah, you already said you need MFA to log into your cloud account, my bad, didn't see that the first time around. Is that an actual requirement though? I don't believe I have MFA on my MS OneDrive...
Mikael says:
Interesting, indeed.
As I live in an area well known for having produced some nasty earthquakes, I'd foresee that if my house were reduced to rubbles it'd be together with most of the neighbors' houses. And the rubbles might very well get very well charred once the local natural gas lines burst.
So... Hm.
I have set up my wife as an emergency contact for my password manager, which wouldn't help in this scenario, but I'm thinking that I should set up a second emergency contact in the form of family members who live outside the area. It would still make the process of getting into stuff takes very long time, but eventually I should be able to get in that way. If I can survive without email for that long, of course.
Tero Keski-Valkama said on twitter.com:
All service providers should be legally obligated to accept national identity provider schemes like passports or national electronic ids. shkspr.mobi/blog/2022/06/i…
Yash says:
The reason I don't use generated passwords for valuable accounts
James Campbell said on twitter.com:
Reminds me of the time my phone was stolen. So I needed to buy a new one so I needed to move money around in my bank to be able to buy one. But I needed the same phone to login to the bank. So many increasing dependencies in our lives like this and not enough talking about it
Michael said on mastodon.social:
@Edent Really wish there were more affordable alternatives to off site storage.I am in similar danger but I don't have any trusted party near me to keep a USB stick with all my keys.Currently i keep an encrypted USB hidden in my car so at least if the apartment goes up in flames I'd have that...
octotherp says:
AFAIK we still have no "multiple fido2 keys" unlocking option for keepass.db. https://github.com/keepassxreboot/keepassxc/issues/3560
Matthijs says:
Interesting story, hope all will be fine soon again. For the safe storage, what I did was to dig a casing pipe into the ground between our house and our neighbours. We have 2 utp cables in this, one for them and one for us. Now we have a NAS in their house and vice versa. We both cannot access each other’s NAS, we don’t know the passwords. Now it was quite some digging, but as a result we have a (we think) safe backup of everything. Chances of both houses burning or flooding or whatever are slim.
Aaron Axvig says:
Consider lightning, as mentioned in this very blog post. If it strikes one of the houses, it could easily traverse the UTP cable and fry the other NAS. And lightning could presumably strike both houses, or the utility feed that supplies both houses.
Pete Keen said on twitter.com:
shkspr.mobi/blog/2022/06/i…
This has me thinking about my strategy a bit. I have a waterproof USB drive with my @1Password recovery kit on it, but what if that gets destroyed too?
Can I pay an attorney to hold onto a USB drive? Hollywood seems to imply that that's a thing.
japanese.sweden.clue says:
You can keep a backup of your Secret Key without your email address or password included in your recovery kit. Hardcopy or digital copy (cloud storage, etc) The Secret Key is fairly useless without those additional details. Many folks have multiple backups that way, so even if someone were to access your Secret Key, it wouldn't do much for them. If you have 2FA enabled on your 1Password account, that would provide an additional layer of protection as well.
zaptac said on twitter.com:
Neues aus der Serie "Niemand will Backup, alle wollen Restore":
shkspr.mobi/blog/2022/06/i…
Aaron Axvig says:
Consider the case of cash currency, which one may think of as "paper is law". There are many ways in which a $20 bill can be lost forever, with absolutely no . Still people find cash useful, and even preferred, for some things. And obviously unsuitable for many things.
Similarly, code as law is useful for some things and not for others.
Simon Willison said on twitter.com:
I think about this nightmare scenario quite a bit: it's not even your digital life any more, it's your LIFE
I have enough stuff in a cloud account with a password I know that I could reboot from scratch... but I'd have to talk customer support into disabling 2FA for me to do it!
Bob Ligma says:
And that's the whole point of the conundrum. If you can talk someone into disabling 2FA then someone posing as you could theoretically for so as well.
Nick Drage said on twitter.com:
Excellent points all round, and it illustrates the weakness in ignoring "availability" to users in your threat modelling...
Wojtek | voitek.eth said on twitter.com:
Risks behind the ‘code is law’ approach 🤔
Björn Friðgeir Björnsson said on twitter.com:
I need to think about things.
Nick Stevens | Let's make business better said on twitter.com:
Having recently discovered that MS Authenticator doesn't back up by default (and in my case, at all), and that Discogs doesn't implement 2FA correctly, this really is the stuff of nightmares.
hat tip @inthecompanyof
Jonathan Peacher 👋🏼 said on twitter.com:
frantically reviews digital life
glyph said on twitter.com:
Watch “safe house” with Patrick Stewart if you want to really feel the horror of that abyss opening up under your feet
glyph said on twitter.com:
It’s great to say “enable 2FA, it’s more secure”. (And you should, I’m not saying you shouldn’t.) But the mechanics of password reset are extremely important and nuanced and their failure modes (as seen here) are horrifying. We need to be taking them more seriously.
a libi rose said on twitter.com:
ngl, this hypothetical is just the tiniest bit appealing
I've locked myself out of my digital life said on :
This Article was mentioned on indiehackers.com
Steven Wilkin said on twitter.com:
Nightmare fuel
Nuzz 🧋 said on twitter.com:
This is something I think about on a moderately frequent basis, and I have still not come to a satisfying conclusion.
Dom Hodgson said on twitter.com:
I'll lend you a tenner to get home mate 🙂
Gordon Haff said on twitter.com:
Whatever the specifics, I wouldn't assume that a "fireproof" box in your house is 100% protective depending upon the fire specifics. Having seen the aftermath of a lighting-induced fire, it probably is. But I wouldn't count on it.
Chris Humm says:
I locked myself out of a 15-year-old email, thus locking myself out of numerous services. There isn't really a good solution to off-site storage, not in a secure way anyway. I don't live in an apartment, so I keep everything at the other end of the garden locked away. It's interesting to see how all the services layer upon each other, if you lose access to x, you'll lose access to y. I print my backup codes and lock them away.
japanese.sweden.clue says:
I used to work for 1Password. If you're with 1Password, contact the support team. They'll be able to authenticate you and disable 2FA on your account. You'll still need your Secret Key & Password to access your data though. If you're missing your Secret Key, you won't be able to reaccess unless your wife knows hers. Then she could login and perform a recovery on your account.
Michael Beckwith says:
Mostly all the same questions to ask in the event someone suddenly passes away
Soumyadip Choudhury said on twitter.com:
Had been pondering over this. Weighing the benefits and the risks of multiple layers of security that can prevent unauthorised access but could also lock me out. I think, I have found my answer. But, for security reasons, keeping it to myself 🙂
shkspr.mobi/blog/2022/06/i…
Kevin Riggle said on twitter.com:
As we used to say at Akamai, availability is also a security goal
rpigab said on twitter.com:
Password managers are a huge SPoF that many people don't realize is there. Sure it's better than having only a couple different passwords, but once you're in, you have everything, including documentation on what accounts exist, what username to use, etc. And it is opened often.
Erin Bern says:
Fascinatingly terrifying article. Security without risking loss of access is a mountain of stress, it seems.
Royce Williams said on twitter.com:
I'm an unabashed security-key fan, so some folks in the forums think I'm shilling when I suggest that people need more than two separate physical authenticators, and that one of them should be offsite.
I'm not.
shkspr.mobi/blog/2022/06/i…
Michael says:
Since before password managers, I have always stored my important info in a password protected spreadsheet and email it encrypted using Proton Mail to my sister to store on her laptop and she doesn't know the password.
Natural D. Zaster says:
There's something to be said for 'bury it in the backyard in a sealed container'.
'It' being a print and digital version as an A/B test. 🙂
Also, degrowth and permacomputing comes to mind here.
Hugo Barrera said on twitter.com:
My phone died yesterday and I can’t use my @Wise card to get a new on. To use the @Wise card or log into their website I need a phone.
Chris Barry says:
Hey, in the UK, is a sim swap attack really that easy?
https://nordvpn.com/blog/sim-swap-attack/
It sounds like the fault of the provider more than anything else, which should / would be easy to make sure there is a firm process in place to stop this from happening (surely it is madness to have this service at the end of a phone call with no clear steps in place to keep things secure?)
https://ee.co.uk/help/help-new/managing-and-using-my-account/leaving-ee/what-is-a-pac-code
text PAC to 65075 log in to My EE and go to Menu > Account settings > Leave EE
So your phone needs to be secure, and you provider account needs to be secure.
Seems simple enough, they you can rely on phone number as your gateway back in, store everything in cloud provider, and get back up to speed?
Perhaps I am missing something, I am not militant about security...
@edent says:
Here's a report from Which from a couple of years ago - https://www.which.co.uk/news/article/sim-swap-fraud-how-criminals-hijack-your-number-to-get-into-your-bank-accounts-aEzeh1P6N6Z8
It certainly was prevalent. Some providers make it easier than others.
Nico says:
Interesting read! I think I had something like this in mind when I switched to authy as my 2fa provider. The idea of losing my access when losing a device somehow scared me. Also it didn't seem possible to transfer the Google authenticator to a new device at this time. I don't know if this is still the case.
Pawel says:
Google has a dead man switch of sorts - after set time of inactivity it can be setup to transfer all rights to someone else via email. Its not perfect because you would need to camp out for half a year of course. I wonder if other services let you do that?
As for key distribution among friends - there has to be some smart solution relying on the fact that your home server isn't there. App hosted on amazon that will call your home lab, perhaps your number? Even a freaking buzzer in your house! And only after it fails all that it would release some control, perhaps one extra human remambabre password away from full access? I believe UKs nuclear deterant submarines have checklists to ensure UK is well and trully gone before firing any nuclear missles. I don't know how much is available on the subject, but surely this must be a common problem, when you broeden it's scope.
Nish said on twitter.com:
"I've locked myself out of my digital life": shkspr.mobi/blog/2022/06/i…
Okay, this is also something I fear regarding 2FA. I had a similar lockout thing when I switched my phone number back in Nepal (my old phone stopped working, and I decided to get a new number...)
ReaderThe says:
Paragraph "Friendly Neighbourhood Storage" is quite unrealistic for me and isn't helpful to make a plan for that accident.
USB stick can have only the most important passwords to most important services. When you have access to those more important services you can recover a most recent password manager file backup from multitude of cloud services etc. Hide it. It isn't meant to be used until an emergency. Changes are close to zero. Yeah, you need to remember master password. How do you logged into password manager up to that day without it?
Aside from that TOTP secrets are only second factor - they won't let you log in alone without password. It should be thought as a proof of physical access to something. You can also store it unencrypted, when it is stored on your property. Cloud provider? Encrypt it, because it is being stored on someone's else servers. Yours flash driver in your house? It can lay unencrypted. A piece of paper amongst documents in yours parents house? It also probably can be stored in unencrypted form here too.
Dave Ings says:
Great post - made me think - thanks.
I use 1Password, which has built in 2FA support. My simplest mitigation seems to be to store offsite a hardcopy of 1PW’s “emergency kit”. This would get me back into my 1PW account if I lost all else. So that’s what I plan to do.
YMMV of course.
Malcolm X says:
A few years ago i imagined worst case scnario (I must admit you have a better imagination than me ) and i found a solution for that : what i do is store all 2fa totp codes in an encrypted keepass vault and remember that password instead of keeping it in password manager
since it is encrypted it doesnt matter where i upload it but ofc for max security and privacy , e2e cloud services like filen/mega are a better option ( better to upload them to at least 2 just in case)
then take the link of that file and use link shortner (use at least 2 again just in case) , and have something like bit.ly/2fa which u can access anywhere
whenever i have a new 2fa entry i just upload the new vault in same directory as before , with file versioning , i have all previous vaults in same place with same link
@edent says:
There are two main problems with this approach.
The first is that you won't remember the password. History has shown us that unless people regularly use a password, they'll forget it. If you do choose an easy to remember password - the chances are that it will be easy to guess.
The second problem is that you're relying on a weak second factor - that the file is "hard" to find. If you have created a bitly link, the chances are that a search engine has already picked up the file.
Malcolm X says:
regarding your first concern : I usually add more sites to the vault so i constantly use that password so that isn't an issue , you can always use a slightly similar password to the one for password manager
As for your second concern : you can use a more privacy friendly link shortner or self host one . And even if they pick it up , if you use a password with good entropy for the vault , it will be impossible to decrypt it
Sam says:
Well, you could simply create another account in your password manager (like Bitwarden) and store all your 2FA recovery codes and of course, ensure this account does not have 2FA enabled. In this account, just have the recovery codes with hints /clues that only you can understand to what service it is meant for (without using usernames). This way, in the unlikely event of account compromise (with your leaked password), it's only a bunch of strings.
You then need to remember only two master passwords (one for password manager with 2FA and another with a password manager without 2FA).
I follow the above, while also having Authy to synchronize on my wife's father's phone (besides her phone of course) and another desktop at their place.
Nico says:
May I ask why you sync Authy to many devices? I assume you don't use their server side backup then? If so, why not? Or is this just an additional layer?
Adam Dempsey says:
This actually happened to me last year (flat burned down completely, nothing recoverable) but I was lucky that I picked up my phone which gave me instant access to my Cloud storage / 2FA etc to be able to still access all of my digital data. If the phone had been left behind that would have been a different story.
I also lost my NAS, which was mostly a local backup of my cloud data but I did (foolishly) have some data only on there so that has now gone forever.
When Security Locks You Out of Everything - Schneier on Security said on www.schneier.com:
This Article was mentioned on schneier.com
Peter "Halpern says:
One of the reasons I am happy to be a US citizen and a citizen of another country.
I have a safe deposit box at two different banks. (yes, they are geographically separated) FYI safe deposit boxes can be relatively inexpensive in the US or free depending on your relationship with the bank (Assets Under Management or breadth of products) I have copies of many of the items listed in those boxes. (A 'relatively recent' backup hard drive, keys to multiple items, legal documents including a proxy where my mother can access the safe deposit box, photocopies of driver's license, the passports, Social Security card, etc) Bank accounts with basic emergency funds in two countries. Cloud backups of many of the items listed above, as well as additional items as safeguards.
While not a perfect DRP, it is sufficient and not costly.
Brenden Walker says:
Local backups mirror my NAS data daily (2 NAS boxes with 15TB each). When we leave for any extended period of time the local backup HD's are stored in a 4 hour rated fire safe.
Everything is encrypted locally prior to storage on Azure, $50 credit I get with MSDN sub covers that (employer pays MSDN sub). This is the only cloud storage I leverage, weekly backups for most data.
Password database is synced to 2 USB sticks along with the software necessary (KeePass portable), one is in my pocket at all times and the other is...elsewhere. I update the password DB every month or so, and immediately if I'm cycling/setting up a login for something critical (bank, insurance, etc). Years ago I memorized a complex passphrase that is only used for this one purpose. Password DB is not cloud hosted so if anyone gets access to it for brute forcing they've managed to bypass a lot of security to get there.. and will need to brute force a very complex passphrase. I accept the residual risk on this.
I don't use my phone for anything sensitive, if it were lost or stolen my main concern would be getting a new phone. For critical 2FA I prefer hardware tokens.
I have done disaster recovery exercises including full restoration of systems as well as specific data recovery. This works for me, and keeps my wife happy (artists make a lot of data!) YMMV.
Bob Ligma says:
Easy solution: just have a hot site set up in another state, ready for you to walk in and start using right away.
@edent says:
For some value of "easy"…
fourzerosix says:
should have a small bunker below the house for important storage and water/fire-proof safe
Dr Jess Birch 🛡🏳️🌈 said on twitter.com:
If you go for a walk & lose your door key, it will never involve having to buy a new house because old house is now permanently inaccessible. We require systems of trust (tracking who owns homes & who rents what, even if you lose a bit of paper or a key). shkspr.mobi/blog/2022/06/i…
Cory Doctorow mentioned this.
I've locked myself out of my digital life (passwords, 2FA, security) - Feddit said on :
This Article was mentioned on feddit.de
Matt says:
I think the obvious failure here in your hypothetical is that you did not have an off-site backup. Superficially it looks like you do, cause everything is in the cloud. However it's not an off-site backup unless your encryption keys are also backed up off-site, along with the credentials to access it all (and yes your second factor is a credential). In this hypothetical, all your second factors (security keys, phone, paper with recovery codes) were stored on-site, which is why everything failed.
You mention storing a USB stick with a friend, but then only consider the unworkable solution of storing a frequently changing target (backup codes for all your services). All you really need to store is the credentials and keys to restore from your off-site backup, and possibly for your email account. That is probably just the recovery codes (and passwords if not memorized) for your cloud site(s) and your email account, and maybe a spare security key that's authorized for those accounts if that's in your budget. Those shouldn't need to be updated very often. Encrypt those with the same passphrase you use for your password manager (which you presumably have memorized). You can reduce the risk of your friend or their kid misplacing/wiping it with an envelope and marker (pretty cheap). As for the concurrent loss of both sites, do you only have one friend? Do they all live in the same city?
Other solutions include using another cloud backup site which you only put your encrypted password store in, and then don't turn on 2FA for that one (it's only protecting an encrypted file). I've even seen the suggestion somewhere to store your encrypted password file in the public part of your cloud account, but that effectively turns off 2FA for your password management.
Christian Hammond 🇺🇸🇺🇦🌎 said on twitter.com:
Hmm... Living in California, I might want to adjust my backup and authentication strategy.
shkspr.mobi/blog/2022/06/i…
Billy Eager says:
Idea: 1. A phone app which routinely checks for phone movement periodically when the phone is unlocked and sends an "All Good" confirmation back to the app's cloud account where you have set up a number of event triggers. 2. After X amount of time of it failing to send the "All Good" confirmation (due to lightning strike/fire/space lasers destroying the phone or the phone being lost/stolen but remaining locked) the cloud account sends an email to preset addresses stating that if no response is received by clicking on a link within, important information from you will be sent in X amount of time 3. a) Fortunately you have a new phone being set up and you managed to remember your login for your favourite password storage app so don't need this package to be sent. You click the link on the email to delay the delivery long enough for your new phone to be set up so the app can be reinstalled and continue to send "All Good" confirmations to your app cloud account OR b) You don't have any other means to access your digital life than through the information contained in the digital delivery package, so nobody clicks on the link in the email and the digital package is then sent at the required time, thereby restoring your access to your digital life
Note: Said app would only allow the creation of the digital 'package' and trigger settings/email recipients once and the entire setup would remain locked and encrypted within your app account cloud storage unless it is deleted/replaced with a new one. This means even if your app account access was compromised the most damage which could be done by the intruder would be the deletion of your encrypted event package and the app could be set to automatically notify you whenever a deletion is done on your cloud account and block any cloud deletion during an active countdown period.
This is the closest I can get to a mechanism by which an account compromise reveals nothing useful to an intruder while ensuring that delivery of the data package is only made in the absence of any responses from you or your recipient group. (You could even make it a 'n of n' response requirement just to prevent a 'bad' recipient from maliciously responding to the alert email and reseting the countdown timer even though they know the data release is needed)
Thoughts?
@edent says:
If the "digital package" is encrypted - then how will you remember the long and complex password for it?
If it is unencrypted - then the provider of the service has all your data.
This isn't a problem which can be perfectly solved by throwing more technology at it.
Billy Eager says:
The digital package would be encrypted with your own public key, to which the privkey would be held by you and your fallback recipients (again, could make it 'n of n' to unlock if necessary so no single recipient could unlock it)
The encrypted digital package would be useless without the privkey which would be useless without the digital package to decrypt.
An attacker would have to compromise multiple email accounts without knowing which email addresses are in the recipient group and gain access to the required privkey(s).
@edent says:
So we're back to square one! How do you protect that private key? What happens if you accidentally lose it in a lightning strike?
Billy Eager says:
As I said, your fallback group have a privkey each for n-of-n multisig. No single person can unlock the encrypted package. You set it at, say 3-of-5, and if one of those 3 is you, post-disaster, there is only a need for you to rely on 2 of your fallback group, or 3 if you're not around any more or you've no longer got access to your own privkey for the group.
How scorched-earth is your scenario that you want to demand the recovery plan has to account for multiple people in multiple locations losing the privkeys you sent to them?
@edent says:
How does this deal with the "Murder on the Orient Express" problem?
If three of your "friends" decide to betray you - or get hacked themselves - it's game over.
"For Want of a Nail" is strong in your login | APNIC Blog said on :
This Article was mentioned on blog.apnic.net
Crypto-gram: July 15, 2022 - Schneier on Security said on www.schneier.com:
This Article was mentioned on schneier.com
Jeff Fortin Tam 🎆 said on twitter.com:
Exactly the kind of 2FA nightmare scenario I want to avoid. I lose my stupid phone half a dozen times a day, it's a miracle I manage to find it everytime, and I certainly don't want to depend on it (or any physical token) for authentication 🤔 shkspr.mobi/blog/2022/06/i…
Oliur said on :
This Article was mentioned on oliur.substack.com
How do you recover passkeys if you lose all your devices? said on :
This Article was mentioned on sixcolors.com
kimmyG says:
Isn't this post just the opening slide(s) of a VC presentation looking for funding for a company offering safekeeping vaults for digital assets (pwd + MFA keys for password manager, etc) that are secured with DNA - so you have to show up in person at an authorized location, where they will DNA test you to confirm who you are, and then release the contents of the digital vault?
Michael said on ms1.me:
@Edent What a great post! Thank you for sharing. I'm going to attach a bungee cord to my phone when I go to bed now 🤣
Richard Bairwell (main) said on mastodon.org.uk:
@kev @Edent The problem with the multiple Yubikeys solution is that you need both/all of them on hand when you setup a new service - no way of registering all using just one - so no keeping the backup in a disused lavatory in a basement with a sign saying "beware of the leopard".That's if the service supports multiple- the fact on Mastodon I have my phone, Windows Hello and 2 Yubikeys all setup on a free service for 2fa and $ limit you to one device is astonishing
Ben Tasker mentioned this.
Alexey says:
A simple and reliable solution to the problem is to store important data in encrypted form in public places, such as: - github repo - telegram channels (supports unlimited number of files up to 2 GB) - public pages at vk.com (supports unlimited number of files up to 4 GB)
Use strong encryption and long passphrase, keep backups in several public places - and the problem is over.
@edent says:
How do you remember those very long pass phrases, Alexy?
Alexey says:
This is a line from a poem (in Russian) that I will never forget, for example.
@edent says:
Слава Україні!
But most people don't have such a good memory. And, if you've experienced a traumatic event, even your fantastic memory may be compromised. Of course, you remember exactly which capital letters you used, whether you replaced any letters with numbers, and if you used spaces or not?
Wait... is it the same poem you and your friends all learned at school? How long do you think it will take them to crack it?
Alexey says:
Героям слава!
It's a matter of practice and repetition. If a person cannot memorize a long phrase from 1-2 times, then he will be able to memorize it from 10-1000 times. This is a matter of desire. If a person wants, he will find a way to memorize a long phrase, even consisting of random characters.
Alternatively, in addition to the phrase, you can use some publicly available file as a key (billions of files are published on the Internet, the attacker does not know which one can be your keyfile).
OK, I can't offer a one-size-fits-all solution that will work in all cases. But at least the solution I proposed will work with the case described in your article (in most cases).
Sure.
Maybe.
40+ symbols including digits and capital letters. My passphrase consists not only of a line from a poem. I think it will take a very, very many years.
Ben Tasker mentioned this.
More comments on Mastodon.