Adventures in two factor authentication: I want to use a security key with . Doesn't work. Why? Because I already have app/TOTP-based 2FA enabled. And I can't disable it because I'm a member of groups that require 2FA. So no way for me to go from app to security keys.
Conversation
You can definitely have both enabled, since I have both enabled right now. I don't think it's possible to enable only security key 2FA on GitHub, they they seem to treat using SMS or TOTP as baseline 2FA and security keys are an addon to that. It's a weird implementation.
1
4
The only service where I've been able to remove TOTP 2FA and use only security keys is Google.
OVH, GitHub, GitLab, Bitbucket, Dropbox and Twitter all require keeping around TOTP after adding a security key and don't allow adding the security key first. AWS is even weirder.
1
3
AWS requires you to log into your Amazon account first (including TOTP 2FA) and Amazon accounts don't support security keys. However, AWS does support security keys separately from the Amazon login so it makes you enter the password, TOTP 2FA code and then use the security key...
1
2
Does the AWS 2FA still feel like a cludgy addon? Life was so much sweeter with AWS when we told it to use a 3rd party IdP, I hated AWS login, possibly could have had fewer accounts or tied them together better but it just felt horrid.
1
Only in the sense that I don't really understand why I can't have the security key on my actual Amazon account instead of only AWS. It's weird going to AWS and using the security key right after entering a TOTP code. I want to remove TOTP everywhere.
1
1
2
I wouldn't actually need recovery codes either if I trusted that their implementations aren't going to break, because my security key has a proper backup implementation via the on-device touchscreen. It does a one-time display of the seed words during init for recording on paper.
2
2
My impression is that most of these sites expect that people are going to lose their security keys which mostly have nothing like that, along with expecting people won't write down the recovery codes. Otherwise, I can't see why they don't allow disabling TOTP and only using keys.
Google also requires you to add two keys to enable advanced protection, which I didn't really want to do, because I have no use for the other key. My phones support USB security keys so I don't need a Bluetooth / NFC key. I'd rather just use the open hardware alone.