You Are One SIM Hack Away From Losing Everything — pt2: Level Up

Or: “We’re Locking this b*tch down!”

We assembled the raw materials in part 1. Now it’s time to put them all together in a coherent fashion.

Disclaimer: I am not a security expert. I’m just presenting my best understanding of the best practices out there and making myself think through this to get my own sh*t secured. If I have gotten anything wrong, please let me know!

Quick Recap

We now have:

• Password manager: creates and manages really strong passwords on every site. Protected with a really strong master password.
• 2FA: enabled for every site that supports it and on the password manager itself. Ideally Time-based, One-Time Password (TOTP)-style 2FA that generates a new code every 30 seconds.
• TOTP 2FA backup keys: largely going into Authy cloud storage, protected by another strong master password. Possibility of using hardware keys for critical TOTP 2FA backups.
• Phone: Google Voice phone number that Verizon can’t screw up.

Guiding Principles and Assumptions

I’m going into this with the following in mind:

• Minimize the worst-case scenario.
• Must be minimally cumbersome; if it’s too difficult, I’ll be less and less interested in jumping through those hoops over time and will eventually get careless.
• Defending primarily against digital attack vectors; the physical security of my house or person is not a big consideration. For now.
• I’m not even that worried about someone stealing my phone. But should still take reasonable precautions.
• Ideally no single points of failure.
• Some accounts are definitely way more important than others.

Let’s Dive In!

Start on green

Hopefully this isn’t too visually overwhelming. The two green boxes represent my high priority “Core Accounts” and then everything else is considered “Everyday Accounts”. Each green box has two main security directions: toward a password and toward its 2FA (yeah, there’s a third “Google Voice” branch. More on that later).

In both “Core” and “Everyday” I trust the password manager to get the job done. Each path goes through the “Hard Password #1” that secures the password manager.

Follow the “Core” 2FA path upwards. There are two TOTP 2FA authenticator apps in there. In a normal day I’ll get the TOTP access codes from Google Authenticator on my smartphone. This gives me instant access to all of those crucial accounts. But I still need to safely store the TOTP 2FA backups. Those are going to the YubiKeys.

Here’s how it’ll all come together:

I’ll start the process to setup 2FA for one of the “Core” accounts. When the QR code screen pops up, I’ll scan it to add it to Google Authenticator like you normally would.

But when that’s done I’ll leave the QR code up. I’ll load the Yubico Authenticator app and will scan the same QR code in there. Once it accepts it, it’ll ask me to hold up one of the YubiKeys to the back of the phone. This is how the TOTP 2FA backup code/seed is transmitted over NFC into the secure storage in the YubiKey.

Once it’s on the YubiKey, the next time I touch it to the phone the Yubico Authenticator app will show that account in its list and its current 2FA access code, just like Google Authenticator does. So I now have two ways to produce the exact same 2FA access codes for that particular account.

I’ll repeat the process and scan the QR code again in order to encode the second YubiKey.

Note that you can’t close the QR code and then reopen it for the next device. It’ll change each time, rendering the previous scans defunct. You have to keep the same QR code up. But also notice that it doesn’t care if it’s scanned once or three times or twenty times.

Now I have my “live” 2FA code generator in Google Authenticator and two backups on the secure YubiKeys.

And you can see by the labels in the diagram what I’ll do with the YubiKeys. One stays with me as an easily accessible backup. I’ll store it in my fireproof box. The other goes to my offsite storage site. This way even if my house burns down and I lose my phone and “Home” YubiKey with it, I still have that second backup elsewhere.

But let me reiterate: all three — Google Authenticator, YubiKey #1, and YubiKey #2 — are being set up for TOTP 2FA at the same time, using the same QR code. You can’t do one or two and then come back later to set up the rest.

So you should be pretty sure you’ve covered all the “Core” accounts you care about before you move YubiKey #2 to its offsite location. It’ll be a pain if you have to add an additional account later. You’d either have to go retrieve YubiKey #2 or you can write down the 2FA restore key and then manually enter it at YubiKey #2’s offsite location.

The password manager, too

Because the password manager is such a critical component, the 2FA you use to unlock it is also on the Google Authenticator/YubiKeys path:

Beyond typical 2FA: FIDO U2F!

Some accounts, most notably Google accounts, have direct integration with hardware security keys like the YubiKey via FIDO U2F. You just plug the key into a USB slot, touch the gold disk, and an underlying communication layer will send that key’s unique signature to the account. That key is now authorized to unlock the account as a second verification factor.

This effectively makes a FIDO U2F device act like a physical key for your account.

It’s really cool to see it in action when you’re signing in to a Google account on a new phone. You still have to enter your username and password, but then for the 2FA verification you can just touch your authorized YubiKey to the back of the phone!

And in most cases you can authorize more than one hardware key to your account. So for my “Core” Google accounts I’ll still back up their 2FA via the Yubico Authenticator process described above, but I’ll also code YubiKey #1 and #2 as authorized hardware “Security Keys” for those accounts.

Minor caveat

Twitter also has direct support for authorizing a hardware security key. But for only one key at a time. Annoying. One hardware key is no good; you lose that one key and then you have no backup. So directly authorizing a single security key is basically useless. Just stick to the Google Authenticator + Yubico Authenticator + YubiKey procedure described in the previous section.

Okay, that leaves everything else!

Our lower priority “Everyday” accounts get their 2FA from Authy along the bottom path. While I really like how Authy has set up their cloud backups, the phone-based device authorization process just has to be considered less secure than the YubiKeys that remain under our control for the “Core” path.

But why not just run all my accounts through the better “Core” path?

Whelp, remember that YubiKey #2 is happily living life in its isolated survival bunker. Let’s say you create a new account on some random ecommerce site and now you have a new 2FA to set up. You aren’t going to make the trip out to your offsite location just to complete the backup process for that new low priority site.

And besides, Authy is just way, WAY nicer and easier to use than Google Authenticator or Yubico Authenticator. Give up a tiny bit of (hopefully) inconsequential security in exchange for a much better experience.

Nice touch! Authy incorporates branding and logos

Google Voice is crucial!

None of this so far fixes the problem with legacy banking sites that do fake 2FA via SMS text messages. We are still terribly vulnerable to SIM swap attacks for these sites. That is your freakin’ bank account! This is not acceptable!

That’s why we end up with 2FA lines going into Google Voice. Until these dinosaur institutions modernize, it seems the best we can do is at least point those SMS texts at a phone number that we know we control.

Google Voice is also the key to getting past my misgivings about Authy’s reliance on a phone number in its authorization flow for new devices. And also remember that those Authy backups are further protected by your Hard Password #2 so, realistically, I think my mild concerns about Authy are irrelevant.

Other Details

• No TOTP 2FA backup keys or codes should ever stored in the Password Manager. Keep your TWO factors truly separate!
• Password managers now offer to take the place of Google Authenticator or Authy in that they’ll also generate the TOTP 2FA access codes. That sounds convenient. And insane. You’d be moving your second factor back into your first factor. It undoes the whole point of 2FA. Makes no sense to me. Don’t do it.
• Hard Password #1 and #2 should ideally be only in your head. Or at worst written on paper in secure storage. They should never be stored digitally.
• Remembering Hard Password #1 should be easy as you’ll be unlocking the password manager probably multiple times a day. You can also use phone fingerprint scanners to bypass the password entry. There are security issues with this, but maybe worth the compromise for convenience.
• It’s Hard Password #2 that you’re more likely to forget as you’ll only need it when you want to clone your Authy 2FA entries to another device. Maybe not so bad to write that one down. On paper. Not digital.
• Your main email account is so vital (receives Reset Password requests, bad email-based 2FA codes, etc) that it might be a risk to tie its fate to your ability to access the password manager. Consider committing this password to memory as well. Or writing it down and putting it in a secure location.
• The YubiKeys are for storage, not daily use. You do not need to carry one with you everywhere you go. Google Authenticator is your daily “Core” TOTP 2FA source.
• Phone should be locked with a fingerprint (meh), face ID (very meh), or PIN (better). Password manager app on the phone should require fingerprint, PIN, or full password. Secure Authy with its optional PIN.
• Don’t use the same PIN everywhere.
• Remove all SMS the verification options that you can (many will still remain as fallbacks even after setting up proper 2FA). Where you can’t remove them, point them at the Google Voice number.
• Authy requires a previously authorized device to approve any new devices that want access to your cloud backups. But if you lose your one and only phone, it gets more difficult. Probably a good idea to always have at least two devices authorized in case one goes down. One can be your main computer/laptop via the Authy desktop app.
• If your bank or other financial institutions have truly terrible fake 2FA, ditch those accounts. Do some research, open new accounts elsewhere, and transfer your money the f*ck outta there.

How to prioritize accounts

I think of my highest priority accounts as coming from a few important buckets:

• Security: Necessary pieces of the defense strategy.
• Financial: Controls money and/or investments or knows my net worth.
• Professional Identity: github, might be LinkedIn for others.
• Personal/Social: Key social media accounts.
• Sensitive Records/Files: Legal docs, tax filings stored in the cloud.

It’s best to keep this list as short as possible, but if there’s an account that would be just devastating to lose, it belongs here.

Vulnerabilities

Where are we still exposed and how bad could it be?

If your phone SIM is swapped… it really shouldn’t matter, at least not as far as your online accounts are concerned since the only references to a phone number are now pointing at Google Voice.

If the password manager is compromised, the 2FA will slow the attacker down. At that point it’s up to each website’s security policies to put up further roadblocks as the attackers try to get them to deactivate your 2FA. You’ll have to reach out to each website and make the case that you’re the real you.

If either YubiKey is stolen, all your “Core” 2FA is compromised. But you still have your uncrackable passwords courtesy of the password manager. Not sure if they can do any damage with just the 2FA codes.

If Authy is compromised, again, you still have your uncrackable passwords . And none of your “Core” accounts’ 2FA are in any danger.

If you lose or break your phone, you can easily restore the password manager data from the cloud and Authy from its cloud. You would retain access to your “Core” accounts via the “Home” YubiKey #1. But you’ll have to retrieve YubiKey #2 and re-encode all the “Core” 2FAs so that the new phone and both YubiKeys all have same new 2FA keys.

If you forget your password manager’s master password, dang… don’t. The password manager services never see your master password so there’s nothing they can do to help; all your passwords are gone. You’ll have to do a Password Reset account by account.

If you forget Authy’s cloud backup password, same. Hopefully you still have a working device that has its copy of your “Everyday” 2FA keys. If not, it won’t be easy to reset 2FA on those accounts, but at least you still have the login info in the password manager.

If your phone is stolen, the main PIN will have to slow them down. Once they’re in, all your “Core” accounts’ 2FA codes will be openly visible to them in Google Authenticator (annoying that there’s no PIN option). But the password manager’s master password should be insurmountable. Your phone will still be logged in to certain apps and that will probably lead to some trouble. With access to your main email and “Core” 2FA, they could trigger some password resets and approve them. Then they’re in business.

A more secure variant on my plan would be to ditch Google Authenticator for a TOTP 2FA app that at least includes a PIN option. Or you can go really hard core and remove Google Authenticator entirely and just carry a YubiKey with you at all times. Without the YubiKey the attacker would have absolutely no “Core” 2FA access. You’d still want a second YubiKey to act as your backup — even moreso if you’re taking YubiKey #1 out into the world every day. It will get lost or damaged at some point.

I’ll go this route when we start embedding them in our hands or arms. Nothing to carry, nothing to lose.

Are we there yet?

Did we patch every flaw? No, but we should be orders and orders of magnitude better off than we were before all of this. Be smart and be safe out there. And please send me lots of suggestions for improvements!