scary hacker

MFA is good security

This the last part in a series of three posts on passwords.

We know that MFA/2FA is a safe way to protect access to systems. In addition to your password, you need a number generated randomly by a third party that the system can check. It is a fundamental step of cybersecurity.

However, what happens when you lose your third-party device?

Note that some of the newer MFA/2FA applications do offer backups of their own. Those are great, as long as you control the encryption keys. Otherwise, it is just another way to get those credentials stolen. Regardless, as you set up MFA, all the systems will present you with backup codes you can use to authenticate in case you lose your MFA device(s).

Where are you storing the keys to your kingdom?

It all comes down to how paranoid you want to be. So, here are five ideas, ranked from worst to best security for you to take inspiration from.

★☆☆☆☆ Paper copy

If you do not care whatsoever, then a printed piece of paper in your laptop bag or wallet or a file on your computer is all you require. Of course, it is massively insecure and probably in violation of some policies you have at work. Anyone can access those credentials, log in as yourself, and change all the MFA/password so they now have full access.

We strongly advise not doing this.

★★☆☆☆ An encrypted file

You put your codes in a file and, using some encryption key with a passphrase, you encrypt it on your machine. This is not a bad way of doing it. However, it comes with a few problems. First, there are no backups unless you do so manually. Second, you need to remember a passphrase. And finally, it still resides on the machine which can access those systems.

★★★☆☆ Secure physical device

If you have a YubiKey, or equivalent, you can store your backup codes there. The main concern with this is that you have yet-another-device to store and keep track of. Backups are still an issue unless you have two sets of devices. YubiKeys do offer additional layers of security, so it might not be a terrible idea to invest in those as well.

★★★★☆ Password manager

This is the best option, keeping convenience and security in mind.

If you already use a password manager for your passwords, you could store the backup keys there. However, that’s not such a great idea if someone managed to get access to it. Therefore, you should use a different one from your main one. You could get one of the many free password managers and use a dedicated one for just backups codes.

★★★★★ Third-party storage

You probably do not need this one.

First, take the backups codes, either on printed paper or encrypted on a USB drive. Second, drive to your bank or law firm. Finally, in the former, take out a safe and deposit the codes there. In the latter, ask them to keep it safe within their vault. This is both inconvenient and expensive, but it does offer the best security.

Final thoughts

Whatever you choose will be a mix of convenience and security. The right answer depends on many factors, and MFA is just one part of the cybersecurity puzzle. If you are unsure how to proceed, please get in touch and we should be able to help you.