They have it, it’s called FIDO2, and it even works with existing devices such as Touch ID or Windows Hello in common browsers such as Chrome. Even Google doesn’t promote Google Authenticator now, but they keep it around for legacy reasons because it still works, until you lose your phone. That’s where FIDO2 shines: just authenticate more than one device, including purchased hardware tokens if you want something cheaper than a phone, and you’ll always have at least one device with access, somewhere.
My biggest issue with FIDO is that it is tied to a hardware device. So if I ever lose it it is a huge pain. So you need at least 2 (so only one can be your laptop with fingerprint or face recognition) and if you even get another one you need to remember every single service that you used 2fa for and enroll it in each of them.
> if you even get another one you need to remember every single service that you used 2fa for and enroll it in each of them
This is perhaps why FIDO2 works best when combined with single-sign-on systems, such as those promoted by large email providers, etc. Fewer accounts to have to manage 2FA devices for, and a greater chance that you've already signed in and authenticated your devices with all of them.
Personally, though, I use a password manager, and have some (but not all) sites tagged as 2FA in the password manager. So if and when it's time to add another key, I can just go down the list. Not as convenient as SSO-based 2FA, but sometimes you really don't want to sign in with Facebook, say. :)
can FIDO2 be implemented for day-to-day use right now, such as email access? sms 2FA and authenticator are built-in to most applications, so it makes it easy to use.
and how do you do estate planning? I'd like to give my family access to all of my private keys for everything when I pass.
It’s built in to Safari, Chrome, Edge and other browsers, apps can easily integrate with system libraries for Windows Hello or Touch ID as they would anyway.
As for estate planning, set up a spare key that you can keep at a relative’s place, or add others’ accounts to your “Family” in Google/Microsoft/Apple/etc. Either they have their own keys and the company is aware of the handover or they have a copy of yours — such as you logging in on their device or keeping a FIDO2 key at their house and they can pretend to be you. A service like 1Password Family could also be of use here.
True, but last I checked, Google Authenticator and other similar apps (except maybe Authy or password managers) would refuse to upload or backup keys to iCloud Backups for odd reasons. Presumably they wanted the same sort of identity properties that something like Touch ID has, and thus would be solved by having more than one ID.
Unfortunately most people have only one phone, so that didn’t work until options came along where you could add more than one token/device instead as backup.
Oh no, the string and/or QR code should be backed up when one is setting up the 2FA.
If you have that seed phrase, & any device with correct time can calculate the TOTP code, even a simple local javascript app.
Obviously that phrase leaked would mean hacker can also generate codes. So that's why those phrases should be kept extra safe, away from normal passwords.
