#CoSoTech #Tech #CoSoSec #Security
π Don't π sync π MFA π secrets π to π the π cloud π
- Don't put them in your password manager, no matter how convenient that may be. In the unlikely event that someone gets into your PW DB you *don't* want to also give them all your MFAs.
- Don't sync them with a third-party app/service, which automatically becomes a priority target.
- And DEFINITELY don't sync them in an already-high-value account, like your Google account.
I do similar. OnlyKey(s), duplicate at lawyers, office safe.
Personally, I keep my secrets on a pair of Yubikey hardware tokens using the Yubico Authenticator app. I keep one token with me and the other stays locked in a fire safe as a backup.
https://play.google.com/store/apps/details