None of those points above address what I said, nor should they because TOTP should allow for disaster recovery.
To allow for disaster recovery the keys used to generate they TOTP codes must be storable somewhere.
The article is creating a strawman by suggesting to screenshot QR codes and leave them in the downloads folder. It's perfectly reasonable to save keys in a secure manner.
It's also giving borderline bad advice of trying to engineer in an unrecoverable state should a single device fail. That's a poor suggestion to give under any circumstance.
Saving TOTP keys into a separate dedicated encrypted vault under physical security is absolutely a valid method of allowing recovery from a device failure.
If you're ok storing the TOTP key, you could just store a recovery code instead. Recovering an account is generally audited, so this is more secure that just provisioning another device.
My point is just that it's still a lot of effort to recover, and we're basically encouraging people to undo the benefit of MFA by storing the TOTP key/recovery code right next to the password they used to get through the first factor...
There's no functional difference between the two codes in terms of account access. And I dispute the claims of 'audting'. No service cares. As long as you give a correct code then in you go.
So why use recovery codes and then have to keep them secure with the drawback of resetting up every lost account when you can put the exact same amount of effort it to storing and securing the original key and re-setup all accounts in a few minutes?
I speak from personal experience on this topic as to which is easier and how the effort to store and secure recovery/original keys is exactly the same.
>There's no functional difference between the two codes in terms of account access
Are you sure?
The last time I used a recovery code I got an email and my 2FA immediately stopped working.
If I have your TOTP key I can use your 2FA without you even knowing, even while you use it. It effectively gives me an unlimited backdoor into that account.
No, because I haven't tried every service. What I do know is that key services I have notify me of every single login that is made, so I'd know anyway.
Plus, one has to examine at which point back up the chain the problem might occur or be spotted.
In this instance you've managed to access my TOTP keys, which means you've hacked and broken the encryption on the password manager or you've got malicious code running on my device. Or you have physical access to a running and unlocked machine.
In either of those cases I'm already truly fucked.
I would imagine that any scenario where I managed to get hold of your recovery keys would involve the same things, so you'd be truly fucked.
So in that sense there's no functional difference in the way I have things setup for me.
To allow for disaster recovery the keys used to generate they TOTP codes must be storable somewhere.
The article is creating a strawman by suggesting to screenshot QR codes and leave them in the downloads folder. It's perfectly reasonable to save keys in a secure manner.
It's also giving borderline bad advice of trying to engineer in an unrecoverable state should a single device fail. That's a poor suggestion to give under any circumstance.
Saving TOTP keys into a separate dedicated encrypted vault under physical security is absolutely a valid method of allowing recovery from a device failure.