Quote:
Originally Posted by DumbGuy
|
That's a cute idea, using the google backup code, but it still involves compromising your fastmail master password as discussed. Also it means sending the fastmail code by SMS so it can be intercepted. I think I might set up TOTP on a few different servers that I use, with printed access codes and maybe using random ipv6 addresses (from the servers' /64 spaces) so they should be very hard to find by port scanning.
Another silly thing I see: before you can even activate 2FA, fastmail wants to send you a recovery code by (insecure) SMS and they advise you to write it down. But of course you have to treat it as compromised the minute they send it to you, so it's better to log in, delete the recovery code right away, and generate a new one.
I notice also that U2F uses elliptic curve signatures with the NIST P256 curve, which some people think might be backdoored by the NSA (there's no concrete evidence for this, but no way to disprove it either). The NIST curves are also very difficult to implement properly so I'd hope there's been an external code audit of the Yubikey device. And the low cost Yubikey ($18, still not that cheap) is a big unit like a memory stick that you can't just leave in the port when transporting a laptop. I might go for a software implementation.
I don't understand why they got rid of the printed OTP that worked perfectly well with much less technical complexity everywhere in the system.