I added 2FA to my Meteor app quite some time ago. It was very easy because of the great support for it in Meteor Accounts.
I have question about recovery codes. I store my passwords in a password manager, which is secured by 2FA. The password manager gives me a list of recovery codes in case for some reason that doesn’t work. It tells me, of course, not to store the recovery codes in the password manager, since by definition I wouldn’t be able to access them there in this situation.
So… where do I put the recovery codes? In a disk file? On paper? That seems to defeat the purpose of having 2FA at all.
Should I store the recovery codes in… a different password manager?
If you do not trust your current computer, you should have passwords and 2FA codes at separate offline computer, and type passwords and 2FA codes manually, by looking from offline computer.
Other way is to use Qubes OS, and copy paste passwords from offline VM to online VM.
Or alternatively, for browsers, there are some sandboxing apps like Firejail / FireTools, that limit what directories browser can access.
Or run browser in VM, and only enable clipboard copy paste, when you are copying passwords to VM. Yes, there have been bugs in older versions of browsers, like at older desktop Firefox, older iOS Safari, etc. And I’m still waiting for newest Android security fixes to become available for my Samsung smartphone and tablet.
For backups: You should have exported backups of your passwords and 2FA codes as text files offline, at least 3 different places if possible, where you store files inside of VeraCrypt encrypted file, that has long password. Similarly for any other important files. That way, if your computer harddrive breaks, you can get your files from backups.
2fa codes look like this as text:
otpauth://totp/
2fa codes can be exported to text for example with ente app. I did change from Authy to Ente, so that it became possible to export 2FA codes to text, and import them to Linux apps Authenticator and Numberstation, and to Ubuntu Touch app 2FA Manager.
That makes sense. But at the same time, although I trust my laptop, someone could steal it. Someone could even get into an office and get onto multiple computers. Any kind of plain-text storage seems to be insufficient. That’s why I’m wondering, would the best approach be to keep them in a second password manager?
For Linux, install Linux with full-disk encryption and long password.
For Windows, use VeraCrypt or BitLocker for full-disk encryption.
For Mac, use Mac settings included full-disk encryption.
For most files, have those at encrypted VeraCrypt containers, only important files open.
If you are not at laptop, have screensaver that becomes active, and password manager logouts when screensaver becomes active.
If someone could even get into an office, better keep office door locked, and have video cameras use face detection to alert any not-recognized faces, lock the door and alert guards automatically.
Typical GDPR audit is, that someone comes to your office, he is not stopped at all, and he takes photos from papers at desktop, where is some private data.
Typical security attack is, that criminal finds some security hole, tries to get some money from company. If company does not pay, then criminal leaks data, and files GDPR complaint to GDPR authorities. If company pays, also in that case criminal can leak data, and file GDPR complaint to GDPR authorities.
But, are there potential drawbacks to my suggestion, that the 2FA recovery codes be kept in a second password manager? If the main password manager is inaccessible, you can still get them from the second password manager.