The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked.

> you're cooked.

I've lost 2FA codes. It's complicated but if you have a financial relationship with the vendor you're going to be able to get everything sorted out. I imagine as this happens more there will be common internal policies which aid customers in this situation.

You have to weigh the amount of potential hassle against the value of potential losses. Why you would have $100,000 of value stored somewhere and only secured by a loose-lipped third party app is beyond me.

> The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked.

Most clued-up places enable you to register a Yubikey as 2FA.

So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.

(And those that don't allow Yubikey, almost certainly will have SMS as a secondary option).

You really shouldn’t use SMS 2FA. SIM swapping does happen. This kind of depends on the jurisdiction though. In some countries operators won’t reassign the phone number willy-nilly.

Still, better to just not do SMS auth. These days Yubikeys are not that expensive. Get three, register them all at the most important places, and put one at a parents’ place or similar.

I agree entirely.

But the point I was making that IF the website does not allow Yubi THEN SMS is almost certainly available, and you should use that as a backup mechanism.

Why ? Some sort of backup mechanism is better than none at all.

> Most clued-up places enable you to register a Yubikey as 2FA. So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.

And what happens if you lose your Yubikey or it stops working? You're back to needing backup codes or an additional 2FA device

> And what happens if you lose your Yubikey or it stops working?

That's why you own N+1 Yubikeys ;p

Any place that offers Yubikey auth will enable you to register multiple Yubikeys against your account.

In all my time on the internet I have only ever seen one place that allows Yubikeys but restricts you to one key.

Which is why most apps with sync have two sets of credentials: one to login on the platform and one master password for encryption. That helps in those scenarios.

Yes. There are other ways of syncing (I have images of the setup QR codes save in an encrypted file) but most people wouldn’t be able to manage this.

An alternative to syncing is to add the TOTP code on multiple devices, so that losing one device is not catastrophic.

You mean to say that if it were enabled on my Google account, then the TOTP numbers for my other accounts are visible via authenticating into Google Account on some other unknown device? Sounds like it could be convenient if you lose your phone, but still risky if an attacker can sign into your Google Account.

Yeah. And this is on by default. Without an additional secret.