On Fri, Dec 30, 2016 at 3:50 PM, Reed Loden <[email protected]> wrote: > If I compromise your computer, I still get both the password and the TOTP > secret just from a simple keylogger. Not safe.
I wouldn't keep it online all the time on the same device as a replacement for a second factor... but a second password store with separate key & passphrase stored on a phone or other device that doesn't also have the passwords could work, plus putting it on offline media is a pretty reasonable compromise for backup purposes. You can keep the private key on the same media and the only time you would ever be using its passphrase would be if you had to do an emergency recovery, which hopefully isn't very often. Not perfect, but likely better than many other options (many places that do 2fa suggest to print and save the unencrypted qr code on a sheet of paper.) > If you don't want to use your phone, just get a hardware token of some sort > (Yubikey or similar). You still need a backup for last ditch recovery if (when) your hardware device is lost/stolen/broken/replaced/etc... I use pass like this for TOTP backup already, but not sure there's much need for anything new in pass to support doing that, as just piping the TOTP seed to/from pass works pretty well. I may get around to writing up some scripts to automate my process at some point. _______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
