Comment by ntoskrnl_exe
5 hours ago
Pretty sure the same applies to all the passwords/passkeys/2FA codes stored in the Authenticator app with cloud backup on.
5 hours ago
Pretty sure the same applies to all the passwords/passkeys/2FA codes stored in the Authenticator app with cloud backup on.
Use 1Password or similar instead. They’re keyed against a key they don’t have access to.
How do you avoid losing that key?
They have a recovery sheet you can print. If you lose your key, you can use the recovery information on that piece of paper to regain access. You put the recovery information in a safe place.
That is also exactly why people like myself are so against passkeys, there are no offline recovery.
Only if that authenticator/password manager app is not end-to-end encrypted.
No, not "only". E2EE is now used as a dog whistle.
Who holds/controls the keys on both ends?
End-to-end usually means only the data's owner (aka the customer) holds the keys needed. The term most used across password managers and similar tools is "zero knowledge encryption", where only you know the password to a vault, needed to decrypt it.
There's a "data encryption key", encrypted with a hash derived of your username+master password, and that data encryption key is used locally to decrypt the items of your vault. Even if everything is stored remotely, unless the provider got your raw master password (usually, a hash of that is used as the "password" for authentication), your information is totally safe.
A whole other topic is communications, but we're talking decryption keys here
That's right, and Microsoft Authenticator isn't.