Comment on Google Authenticator Blamed to have made one company’s network breach much, much worse
jasondj@ttrpg.network 1 year agoAlmost everything has trade-offs.
Personally I’d prefer a combination of methods. Company-owned lockdown phones with certificates for software and biometrics to unlock. Push based number-matching (like MS Auth) on approved and controlled mobile devices for access into the environment.
Hardware pin+digit tokens are a second best, as it’s very easy to train people to be suspicious of anyone asking for their code…but they can be cumbersome to use.
Smartcards can be alright if they are combined into physical access badges so leaving it in your computer can’t really work if you need it to get out of the building/elevator/parking garage. But they can be a serious PITA to administer and a lot of applications don’t support it natively, and a huge burden for users if they have to use it on mobile (or if you order laptops that don’t have builtin readers).
sloppy_diffuser@sh.itjust.works 1 year ago
This is my take also, which is don’t put all your eggs in one basket. For my critical systems I typically use a memorized sentence and a key stored on a hardware device that is pin protected. I carry two hardware devices from different vendors with different accounts on each to further limit what can be accessed if any were compromised. If supported, I also use Aegis and Bitwarden (different accounts on each) for OTPs as a third gate.
It can be annoying at times, but its not as crazy as it sounds. I can get access to anything in about 30 seconds.