Re: TOTP apps, and WebAuthn recommended devices?

[Greg Troxel <gdt%lexort.com@localhost>]

Thanks very much for the detailed response.

One thing that's not 100% clear to me:

  One device (plus a second one as a backup!)


A device can fail or be lost, so the backup concept is obvious, and
perhaps should extend to a third.

Are the backup devices independent in that you

  enroll device A on a site

  enroll device B on the same site

and then either one will be accpeted by the site to login, and they
otherwise don't have anything to do with each other?  I mean no transfer
of keymat, or other linkage.

So therefore one could have a secondary backup in a place far away
that's somewhat hard to get to, and when visiting it every few months,
enroll that backup as an additional key in the sites that were added to
the working device (carried with you) and the primary backup.

And yes, I realize that one needs physical access control on all the
devices, except that an attack requires pw + one of the devices.


Good point about TOTP and phishing.   Password via password manager and
TOTP mitigates that, as not typing in passwords means autofill needs to
work by URL match.

But, I'm mostly coming from "I need to cope with this world because
various sites are making it required", and I wanted to really understand
before digging in.  Important sites like adafruit, for instance,
supposedly to protect RPI purchases from bots, because nobody could
possibly code a bot that does TOTP, or something like that.