So I’ll be traveling in such a way that I’ll be crossing the US border. I want to take a burner phone so I can wipe it, or have innocuous enough data. The problem: all my passwords are stored in a password manager that uses 2FA tied to my primary phone which will be sitting at home (along with other sites that use 2FA tied to authenticators on my phone).
So remembering passwords is out. And not having access to 2FA presents a catch-22. So what’s the best way to approach that?
This tells me that you’d be in a lot of trouble if you lost your phone or had to wipe it because someone got into it. It’s probably good then that you’re now thinking about this so you can prepare for a time when you won’t have your phone for other reasons.
All sites supporting 2FA usually allow you to use a second method. Email is usually an alternative. Assuming that your email is your universal second OTP method, you just need to make sure you will always have access to your email account and you’ll be fine. So just solve for the OTP problem for your email account.
Pre-buy your burner phone and make it a second OTP device for your email account. For more assurance, buy a couple of physical keys (like Yubikey) that can be used with your email account. These can also be set up for some of your other accounts that support it, which may be more convenient than email when accessing them.
deleted by creator
Assuming your 2FA method is TOTP. Back up the 2FA keys to an encrypted file, with a long passphrase. Take it with you (or store it in the cloud, in this situation this is possibly safer). The when you need them just
- install a TOTP app
- import decrypted keys
- login to things. Then when you’re done logout of things and delete the TOTP app.
Can’t access the cloud without my passwords!
Guess I’ll be traveling with a handful of USBs with my encrypted totp keys.
Also, my phone has a duress password, anyone know if I could just get away with traveling with my phone as-is and just giving them my duress PW if need be?
Phone runs graphene os
I like this. Australia has draconian phone search laws when entering, so I might adopt this in the future on principle.
Does everyone’s phone get searched or is it still random or profiling?
Random. I haven’t been hit yet, but, it’s a matter of time
What happens when you get in? You need to let them access everything ?
Everything, or indefinite detention without a lawyer.
Jesus Christ!
Saved.
Thanks for the suggestions. Here is what I’m probably gonna do:
- Upgrade BitWarden to premium
- move my TOTP codes into there
- Get a Yubikey for 2FA for it
- Keep a second 2FA TOTP option available in case I lose the key
Then all I’ll need to do is reinstall it, and log in with the master password and key and be good for any of my sites.
Perhaps you could also print an encrypted version of your Bitwarden TOTP secret on a QR code and bring it with you in your luggage?
So, encrypt the secret with a passphrase you can remember, encode the entire thing in a QR code and print it on a piece of paper. Easy.
I do this as much as possible, though I have a self hosted VaultWarden instance. I really wish more stuff supported TOTP or Yubikey. There’s still a ton that only support text or email which just puts a big old hole in the security, IMHO.
I carry a yubi key to unlock my password manager. (Probably shouldn’t have said that) If you have a form of 2fa they wouldn’t know about, that might help you
Having a Yubikey isn’t supposed to be a secret. Security through obfuscation is poor security.
It wouldn’t be much of a secret anyway, since your device would say something like, “Please present your hardware key,” when logging in. If OP had a Yubikey with them, ICE could simply search them and use it themselves.
Yubikeys are excellent against digital attacks but not physical ones, since it’s akin to carrying a lock and key together.
Use it themselves
That’s why a Yubikey is a 2nd factor. You still also need a password which you are not legally bound to divulge (in the US). Additionally if you uninstall your pw manager in advance they may see you have a key but they don’t know what it belongs to.
Yep, I was more thinking about the first step of unlocking a phone, which I believe you can set to just be a Yubikey, rather than having a password and key combination.
“Something you have plus something you know.”
But I wouldn’t rely upon a Yubikey, simply because I would be worried border agents would take it indefinitely.
Security is about making it harder for the bad guys to get to what you don’t want them to get to. If they were sufficiently determined, sure they could get to it, but it is another layer. And one they may not expect, or if they were not sufficiently trained, what to do about.
How many services do you need to log into during the trip? If it’s a minimal set, you could temporarily change their passwords to something memorable, and then change it back using your password manager when you return.
Or get a second free password manager just for the stuff you need but aren’t worried about and temp change them, put them on second one, take just that one and change back after returning
Even better, because then the passwords would still be unique and difficult to crack
Yeah travelling with a Keepass vault of necessary accounts is starting to sound like the move
So your password manager uses your phone as 2FA, and the credentials inside your password manager also use your phone as 2FA? Hmmm…
So essentially, you can’t bring your phone, that’s the main issue. Does your authenticator on your phone support exporting a backup? Then store that in your password manager if that’s possible and set up an alternative 2FA for your password manager (SMS on the burner phone number perhaps or a security key). Then when you arrive, reinstall the authenticator on your burner phone and import the backup.
Post the phone to yourself?
could you store them through physical means? if so, consider what passwords you’ll likely need (if you can’t write all/most of them) and put them in a notebook? not qualified to speak on this at all btw just spitballing
If you mean laptop by notebook, then OK. Otherwise no.
Bad idea (assuming you write them down in plaintext)
The notebook can be read
tbf I’m not exactly sure what their threat model is, I dont know if theyre worried about having a notebook looked at vs online gov snooping etc
I was thinking airport searches.
Correct, that’s why I mentioned “crossing borders”
Yeah and the guards will certainly search any papers you have on you. Worst place for your passwords.
