How many 2FA tokens do you have?

Relevant blog post: https://www.go350.com/posts/now-they-have-2fa-problems/

Related: anyone have a good 2FA backup solution? Like if I loose my phone at this point I’d be pretty stuffed as my Google Auth app would be gone and my text 2FA also gone in the same moment.

I have 24 keys in andOTP. I have the backed up with password-store and the OTP plugin. I also have my most frequently used ones on profiles in my hardware OnlyKey which can support FIDO2, TOTP, Yubikey's special format, text passwords and more. I have 2 of these keys, the other in a fire safe. I'm not really concerned with losing a single device because of redundancy.

The things I hate about the 2FA process:

1) requiring a phone number, especially only having SMS for 2FA like my foreign bank (I've reported the issue with SIM swapping with them on support and in person, but considering their system still isn't UTF using a very old encoding so I can't even type a comma in a message without errors, I'm not holding my breath)

2) not offering WebAuthn, especially as a big firm

3) Supporting specifically Yubikey and not FIDO2/WebAuthn

4) using some bullshit closed-source wrapper around TOTP like Symantec VIP that doesn't have a Linux client and requires me to use some random Python script to get spoof a Mac system to get a code (thanks Schwab)

Wide Web Authn[1] adoption can't come soon enough! This is so stupid! All I need is a single private key to login to all the websites!

I personally like to keep it in my iCloud account because I don't trust myself with keeping a private key for too long.

[1] https://webauthn.io

4 in Google Authenticator and 21 in Authy, 1 of which may have been superseded.

One service I use has four separate 2FA tokens to use with different service functions, and I have one account for me and one for my wife, so that single service accounts for 8 of 21 Authy tokens.

I have three Yubikeys that I use for TOTP and that house my GPG keys and SSH key. At any given time, I have one on my person, one in my home office and one off-site. I only use TOTP on the Yubikeys for "critical accounts" and use oathtool and password-store to perform TOTP for most accounts (in Firefox via passff).

Password-store features git push and pull so I keep my encrypted passwords and TOTP keys on a couple remote Git servers. Because I use passwords that I don't know for every service, the Yubikeys are really more about being a safe way to back-up and transport my encryption key. If I've got that, I can always decrypt my passwords.

45 or so. But - they're all in 1Password, so the management is done for me. I don't have to scroll to a particular entry, it autofills everywhere I have to use them.

I also have a handful of yubikeys for more secure things.

Only a single Yubikey. After the purchase, I expected lots of service to implement WebAuthn, but none that I use bothered to, except for select few. I touch it once a year at best.

I've used lastpass, Keepass, 1password (which can store TOTP codes) but I've moved entirely to a Mooltipass. Easy to backup, less fuss all around. (It does TOTP). Open hardware.

https://www.mymooltipass.com/

I have none. I use keepassxc to manage all my accounts.

I try to avoid 2FA. I have other strategies around account compromise.

71 in total. I store all tokens in Aegis and have automatic backups configured, so I don't find it to be too unmanageable. It's seem like a lot, but then again I also have hundreds accounts in my password manager at this point.

35 in my main 2FA app (Tofu), and 4 Yubikeys configured as U2F in 6-8ish accounts. I also have a few TOTPs in one of the Yubikeys (which has a limit of 32).

Did you backup the 'seed' QR-CODE somewhere safe? If you lose access to Google Authenticator, you lose the ability to use OTP for access.

11

I manage them with this:

https://github.com/pcarrier/gauth

61 2FA tokens!

More via phone number 2FA as well!

And a lot of passwords saved.... my app doesn't give me a count. Probably need to look on desktop :-)

4 for work 10 personal

They are getting a bit hard to handle mostly because my app (authy) doesn't have a good enough set of icons

Two Yubikeys (you always want to have two) and 28 TOTP tokens. I wish more services would support Webauthn.

27

Unrelated but no joke I have something like 600-700 accounts stored in LastPass

29 in an app. I use Keepass heavily for password storage.

None. I think - I don't know what they are exactly.

I have 76 (mix of perso and work accounts ~50/50)

There is only one real answer to this: too many.

None.

Well, two, technically, but I'd lost them long ago.

12

Mostly cloud services, version control, email.

12.