[Cryptography] Two-factor: For Others, But Not Oneself?

Kent Borg kentborg at borg.org
Wed Apr 2 17:47:32 EDT 2025 

Do all those people who proselytize the two-factor religion (I think now 
renamed "multi-factor") actually use two-factor-anything in their own 
worlds, on themselves?

I'm starting to think two-factor (as I still call it) means:

 1. There are users and there is IT (or something like it).
 2. IT doesn't trust users to not be reckless, to not be fooled by
    grifters, and to not run spyware (now renamed "info-stealers").
 3. Therefore, IT will give them (require they use) an authentication
    thing that they can't easily copy nor get into (Yubikey, Passkey,
    Authenticator app, etc.), and make that part of their login.

But that doesn't make much sense when the user is his/er own IT.

-----------------------

In the last few weeks I have been experimenting with using Yubikey with 
Keepass, and I have finally given up. The cumbersome requirement to have 
the Yubikey handy, plug it in when needed, and then return it to 
safety…isn't what has me exhausted. The problem is backup and recovery. 
If I am doing this for myself and I have any problems I can't whine to 
IT. No, *I* need to implement my own backup and recovery, which for 
passwords is hard enough. Add a Yubikey in the mix and backup and 
recovery of passwords gets really hard. Particularly because to me this 
includes a way to recover from a lost Yubikey that isn't just another 
Yubikey. (Even more so since I recently seem to have mislaid one of my 
Yubikeys.) And it is hard to do all that.

So it has me thinking two-factor is something to be imposed on others 
(the "little people"), and of no real use to oneself.

If you remember my previous thread, the value in my doing Yubikeys at 
all boiled down to make sniffing my passphrase harder, because if 
someone manages to get malware running amuck on my machine I am in very 
bad shape, Yubikey or not.

Even though I am pretty conservative, I still run a lot of software on 
my machine, and I should be worried about lots and lots of it (not just 
systemd). So I am trying to air-gap my passwords into a very stripped 
and limited environment, and require of myself that I manually 
transcribe them across to the outside world, as I need them. And in that 
world, with my still needing to do backups, Yubikeys are too much of a 
pain, inviting too many additional ways to go wrong.

-kb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20250402/d6481421/attachment.htm>

More information about the cryptography mailing list