>A couple of years ago, I would have panicked at this moment. I'm pretty neurotic: my mind is constantly occupied with producing negative scenarios that "need" to be considered and anticipated. I eat myself from inside out with endless "what ifs", calculating worst-case scenarios and failures — all that sort of thing.
I can relate strongly to this. ADHD and OCD tendencies made leaving for even a vacation frustrating.
I think part of that was growing up in a situation where losing something important like a phone or laptop was a financial hardship that meant real, lasting pain.
Now, as I am older and more financially stable, I only really worry that I have my phone and wallet. And really I only need one of them. All of my IDs are scanned and backed up online. I just need a device and internet connection and I can recover enough of my life to get home, where I can get back on track and order new items. When going over our final leave-list, my partner and I typically just end with “and we have a credit card, so it doesn’t matter if we’ve forgotten something”.
When traveling to more remote places with less of a chance of being able to replace a phone at short notice, I do bring an old phone as backup.
> I think part of that was growing up in a situation where losing something important like a phone or laptop was a financial hardship that meant real, lasting pain.
The brain is interesting, that's for sure. Old habits and mindsets stick around a long time.
I still write important things on paper like final destination addresses or reservation numbers because I don't trust my phone.
When I went on a solo 2 week Euro trip to Portugal and Spain last year I had ~30 printed pieces of paper of reservation details / maps in my backpack just in case something happened with my phone. I didn't carry them all with me everywhere but as time went on in the trip, I brought the specific ones with me for that day in a day bag.
I didn't plan the trip in too much detail, mainly just hotel reservations and high level bullets for things to do in the few cities I went to but having everything printed gave me peace of mind. I didn't have to use a single piece of paper in the end.
It does make me think how much easier it would be traveling with a friend or partner because having 2 phones is a massive perk for redundancy.
When i was single I used to pack a spare (smaller, older) phone on bigger trips, one would stay off in my daybag/backpack to be used in case something happened and my regular was in my pocket. Now, yeah, it's silly to pack it as my partner's is the backup.
I use the technique of taping a microsd card with copies of my passport, credit cards, 2fa backup codes, etc, encrypted; along with a $100 to the bottom of my insole inside my shoe. Put them in a little "crack sized" ziplock, add lots of gaffers tape (so if you take the insole out it's not obvious, plus makes it a bit waterproof) and if I ever get mugged, I have enough cash to get a cab (or depending on where I am, pay a bribe) and then find a computer I can use to get my info and figure out next steps.
Normally carry a yubikey with me (2, in fact, one on me, one in my big bag at my hostel / hotel). But if I get mugged between airport - hostel, then at least I have the shoe backup.
A 3rd level is that my parents have a yubikey and 2fa backup codes for me. They dont have my passwords, but in a pinch, I can call them to read me a code.
Not my idea. You can have a lawyer that has access to all your passwords, and designate a list of trusted people that can access them in an emergency.
If something happens, your friend calls the lawyer. The lawyer calls the other friends and if enough concur releases your passwords.
Depending on how technical you and your inner circle is you can even have whatever secret the lawyer holds encrypted and a key preshared with your friends so that the lawyer cant use it or the secret is irrelevant if it leaks.
This is of course more relevant in a you drop of the face of the earth, or you are wrongfully or rightly arrested kind of scenario.
Keep an eye on FRAM storage devices. Currently you can buy a USB stick with 8 KB of storage, but that storage is designed to last 200 years (and should at least survive a few decades). You can even recover the data off it with a soldering iron and a steady hand if needed. Would be a neat solution for keeping a backup code in a safe long term (maybe once the price drops to be competitive with a laminated sheet of paper)
Not GP, but my solution is to just not use 2FA if I can at all avoid it. After all, 2FA is 99% security theater anyway (if you have a randomly generated unguessable password in a decent password manager).
Very true. I would love to get an YubiKey. But if I set up everything with this and I lose it abroad, then I am f... Could get two and have one FedExed to me if SHTF, but I think I pass.
Even if you have unguessable passwords, the services typically have a way to reset that password. So if the attacker gain access to your email they could do a lot of damage.
3rd Typically most services will allow you to reset your 2fa if you have access to your email or phone or whatever. Because you know people lose their 2fa.
You didn't expect a forum full of obsessive technology nerds to see through the nonsense cargo cult that is 2FA?
tl;dr: You only need a strong, well-kept password or 2FA. Doing both has extremely marginal security benefits.
Remember that 2FA happened like this:
- everybody's password is hunter2
- people's accounts get hacked left and right
- people contact support, this costs the company lots of money
- so company tries "strong password" rules
- people forget their strong passwords
- people contact support, this costs the company lots of money
- company enforces 2FA
- fewer people contact support
- less support work, company saves money
Now, none of these problems apply to people who always use random strong passwords and store them in a decent password manager. I'm not saying 2FA makes no sense from a business perspective, it totally does. Moves the hassles from the business to the user (and locks out poor people without phones trying to log in from a library computer, but they were never going to be generating a lot of revenue anyway so who cares right?).
But if you're not using "hunter2" and not forgetting your password, the extra security 2FA gives you is against nation-state level hackery only. An attacker would have to either MITM your https traffic or hack into your password manager vault. But if they can MITM your https traffic, they can capture your 2FA OTP as well when you fill it in, so you're already screwed.
This leaves someone hacking my password manager. But 2FA has recovery keys, for when you lose your phone/authenticator. If an attacker have this key, they don't need the second factor. So then it all boils down to:
- do I dare print out my recovery keys, put them in a drawer, not lose them in a move or a fire, not urgently need them while away from home?
- or would I rather put the recovery keys right there in the password manager, meaning I can access them when needed but when someone hacks my password manager, they can hack my life?
If you're in camp 2, like I am, 2FA adds no value. If you're in camp 1, 2FA can protect you against people hacking your password manager (but against nothing else).
I don't believe anybody, barring the extremely paranoid (for good or bad reasons), actually prints out their recovery keys. Ergo everybody's in camp 2 or worse (eg put the recovery keys in your dropbox). Ergo, if you use a password manager with strong passwords, 2FA is 99% theater. The 1% is for the printer+drawer people.
I use 1Password as my 2FA app. They have a recovery kit you can print out and store in safe places, or if you have a device that you've previously set up, you can authenticate to your vault.
I can relate strongly to this. ADHD and OCD tendencies made leaving for even a vacation frustrating. I think part of that was growing up in a situation where losing something important like a phone or laptop was a financial hardship that meant real, lasting pain.
Now, as I am older and more financially stable, I only really worry that I have my phone and wallet. And really I only need one of them. All of my IDs are scanned and backed up online. I just need a device and internet connection and I can recover enough of my life to get home, where I can get back on track and order new items. When going over our final leave-list, my partner and I typically just end with “and we have a credit card, so it doesn’t matter if we’ve forgotten something”.
When traveling to more remote places with less of a chance of being able to replace a phone at short notice, I do bring an old phone as backup.