Hi folks,<p>When signing into our AWS console this morning we noticed this security popup - "Registering MFA will be required in 29 days".<p>Below the notice is a list of options for registering for MFA, and I quote:<p>> 1. Passkey or Security key: Authenticate using your fingerprint, face, or screen lock. Create a passkey on this device or use another device, like a FIDO2 security key.<p>> 2. Authenticator app: Authenticate using a code generated by an app installed on your mobile device or computer.<p>> 3. Hardware TOTP Token: Authenticate using a code generated by hardware TOTP token or other hardware devices.<p>Perhaps this is a dumb question, but why can't we just use email for 2FA? (or maybe there is a way and we've just missed it?)<p>If email 2FA is not an option, which of the above 3 options would you recommend to minimise hassle?<p>(Option 1 looks simple but sounds like it's limited to individual devices? Option 2 - the idea of installing an app - irks us. With option 3 would we each need a hardware token?)<p>Any guidance would be appreciated. Thanks.
First of all, 2FA is a jolly good idea in terms of preventing account hijackings; relying on email/SMS (texts) introduces multiple hazards that can reverse 2FA's net benefit.<p>One configuration some people use is the KeePass desktop password manager, which supports storing TOTP seeds and has a nice UX for generating tokens; the password database file may be located as you see fit on a hard drive, DOK, cloud drive etc. Example of TOTP config for KeePass:<p><a href="https://www.fhtino.it/docs/keepass-totp--intro/" rel="nofollow">https://www.fhtino.it/docs/keepass-totp--intro/</a><p>Also, Keepass2Android can be used in similar vein from Android devices. iOS equivalents seem to exist as well.
I'd go with number 2 unless you want to buy everyone a hardware token (option number 3).<p>There are open source solutions (I've used <a href="https://2fas.com/" rel="nofollow">https://2fas.com/</a> ) and very common solutions (Google Authenticator).<p>You can even print out the QR code and put it in a secure location (safe, safe deposit box) as a break-glass in case everyone's phones cease functioning.
At Linux, I manage local 2FA with Numberstation GUI. It can import export.<p>sudo apt install numberstation<p>I manage passwords with KeepassXC<p>sudo apt install keepassxc<p>There is also newer version with additional features:<p><a href="https://github.com/keepassxreboot/keepassxc">https://github.com/keepassxreboot/keepassxc</a>
Thanks for posting this. I'm going to link back to this whenever anyone claims that using AWS/etc means you don't need any experienced infrastructure/ops people.<p>As for the actual question: what browser/password manager in 2024 doesn't support both options 1 and 2?
Personally I would do all of them.<p>I would make a passkey and stick it in Bitwarden so I have it with me on all my devices.<p>I would link my account to my authenticator app.<p>Then I would also register my yubikey I keep on my keychain.