Adventures in two factor authentication: I want to use a security key with . Doesn't work. Why? Because I already have app/TOTP-based 2FA enabled. And I can't disable it because I'm a member of groups that require 2FA. So no way for me to go from app to security keys.
Conversation
You can definitely have both enabled, since I have both enabled right now. I don't think it's possible to enable only security key 2FA on GitHub, they they seem to treat using SMS or TOTP as baseline 2FA and security keys are an addon to that. It's a weird implementation.
1
4
The only service where I've been able to remove TOTP 2FA and use only security keys is Google.
OVH, GitHub, GitLab, Bitbucket, Dropbox and Twitter all require keeping around TOTP after adding a security key and don't allow adding the security key first. AWS is even weirder.
1
3
AWS requires you to log into your Amazon account first (including TOTP 2FA) and Amazon accounts don't support security keys. However, AWS does support security keys separately from the Amazon login so it makes you enter the password, TOTP 2FA code and then use the security key...
1
2
Does the AWS 2FA still feel like a cludgy addon? Life was so much sweeter with AWS when we told it to use a 3rd party IdP, I hated AWS login, possibly could have had fewer accounts or tied them together better but it just felt horrid.
1
Only in the sense that I don't really understand why I can't have the security key on my actual Amazon account instead of only AWS. It's weird going to AWS and using the security key right after entering a TOTP code. I want to remove TOTP everywhere.
1
1
2
I wouldn't actually need recovery codes either if I trusted that their implementations aren't going to break, because my security key has a proper backup implementation via the on-device touchscreen. It does a one-time display of the seed words during init for recording on paper.
2
2
Recovery codes are scary, I had one password, one TOTP token, and then a bunch of numbers I didn't record because I had other recovery methods.
1
Yeah, I would prefer to stick with the carefully recorded BIP39 seed words. For the uses other than U2F, a passphrase is also appended to those before deriving a key. Would rather disable their recovery code backdoor if I could fully trust they won't break U2F.
1
I trust Google not to break it, but not so much the others. I don't really think they get security keys when they require leaving TOTP enabled and treat it solely as a convenience feature that you can use if you happen to have the key around at the moment, instead of a code.