Careful with those backups though. You should probably treat your TOTP secrets as password-equivalents.

I grab all my QR codes or secrets, but I store them in 1Password so they're strongly encrypted in my backups.

Agreed. They live in BitWarden right next to the passwords. I lose some security, since compromising my password manager now also compromises my 2FA, but the password manager is itself behind 2FA, a Yubikey, and its backup codes are on paper in my safe.

Yubikeys can do TOTP. Why not just store the secrets on the key itself?

Laziness, old Yubikey hardware that doesn't do TOTP natively, logging in to websites on my phone. I probably should upgrade, it's just pretty far down my to-do list.

An attacker needs both the totp secret and the password, right?

(Just so I'm not misunderstanding something.)

Correct. So putting your TOTP codes in your password manager is no less safe than using the password manager in isolation, and likely substantially more safe, because it requires attackers to compromise your password manager in totality (which should be itself behind 2FA) rather than just phishing an individual password.

They sort of need remote code execution on my laptop, I'm thinking.

Qubes OS maybe a good idea here -- isolated VMs. (One VM for the pwd manager)

for extra precaution, you might want to store TOTP secrets in a password manager thats separate from the one used to store passwords.

AndOTP supports exporting TOTP secrets in to an encrypted file which can be reimported if you need to restore your keys. You can have the file stored in Keepass or an encrypted container for storage.

Additionally it has support for Steam and Blizzard TOTP secrets. Though they aren't straightforward to use, its nice having them on one app.

I've used this to cover me when traveling overseas. I print them on paper and snail mail a copy to several different family members. They don't have my passwords, so pretty secure from that angle.

This also helps if you want to use YubiKey TOTP support. Grab the keys, and then set them up on multiple sticks. If you lose a stick, you need to rotate, but if you say accidently snap one in half (yes, I've don't this).

Fido2 is better, but for sites that don't support it, I use this to make TOTP sites almost as secure.

Would this be a good moment to use Shamir's Secret Sharing? That way you don't have to give the full key to anyone.

> Download the QR code and decode it to get a string like the following: otpauth://totp/Domain%3Ayour%40email.com?secret=HXDMVJECJ...

How do you download and decode?

Any Linux software tips?

And how do you verify and double check you did it right? (Saved the exact correct code)

Right-click in firefox and "save image". Drop it in /tmp so it gets nuked on next reboot (tmpfs yay). Pick your favorite barcode reader tool; I ended up deciding on `zbar-tools` based on... not honestly that much research. Invoke `zbarimg /tmp/qr.png`. It'll spit out the TOTP URI.

Verifying that I did it right: I manually enter the secret into a tool that can produce TOTP codes and verify that Google Authenticator and my backup are producing the same one-time passwords.

Thanks!!

Whoa. TIL https://github.com/google/google-authenticator/wiki/Key-Uri-...

Yep - it's really useful to know that structure for services who don't bother properly identifying themselves with the issuer parameter in their QR codes so they end up in apps like Authenticator without enough descriptive context to be easily found (I'm looking at you Dropbox and Github!)

that's also what I do, I store in "pass" the the password itself but also the TOTP secret in case my phone will be lost at some point.