Is using traditional 2FA codes a pre-requisite for using U2F FIDO key in Dashlane/1Password?

Over the past few weeks, I have spent a lot of time thinking about how to structure my security plan based on a password manager, just two/three strong master passwords and the use of physical U2F keys such as YubiKey. Without going into too much detail, a part of my plan would necessarily include the following:

I have a password manager that stores passwords to all my online accounts (apart from the main email used for registering such accounts). For reasons connected to other parts of my plan:

  • these individual accounts if possible will be secured by the traditional 2FA only, where a 30-second code is generated using a phone app.
  • the manager itself will be secured with a physical U2F key only.

The reasoning behind this was as follows. Consider these two unlikely scenarios:

  1. My master password to the manager and my phone with the 2FA app get stolen. Because the manager can be accessed with the U2F key only, I’m safe.
  2. My master password and the U2F key get stolen. The attacker is able to log into the manager, but because the accounts whose passwords it stores require the 2FA code, I’m safe since the attacker doesn’t have my phone. (They’ll only be able to access the websites that don’t have the 2FA option, but we disregard these as unimportant here).

However, reading Dashlane and 1Password technical support pages, the way I understand them is that to add a key to my manager, I also need to first enable to code-based 2FA (perhaps that’s not the case, but the information was not clearly conveyed). Keeper seems to support U2F without enforcing such 2FA. LastPass does not seem to support U2F in the first place, only OTP.

The reason why I’m worried about this is:

  1. My master password and phone with the 2FA app get stolen. If both 2FA codes and U2F are enabled for the manager, the attacker is now able to get into it (contrary to case 1). Moreover, since the accounts inside it use 2FA, they can also access these accounts (contrary to case 2). Security compromised!

It is therefore crucial to me to use only one type of second-step authentication for my manager. As a related example, despite Google allowing many methods, if you enroll in their Advanced Protection Programme, all other methods apart from the U2F keys are invalidated. I would like the same from my manager. Is this possible in Dashlane or 1Password?

P.S. I am aware of the risks of using only the U2F keys for my manager. However, some managers, e.g. Dashlane, offer one-time recovery codes than could be stored securely somewhere else. One could also take a note of the (usually 32-digit) code associated with the QR picture for enabling the usual 2FA, without actually enabling it at that point.

Linear codes and syndrome

Assume a linear code with (4,2) where we want to encode 2-bit data to 4-bit data. The generator (G) matrix is

1 0 0 0 0 1 1 0 

Now, if we want to encode 00, we get

[0 0] * [1 0 0 0] = [0 0 0 0]         [0 1 1 0] 

Also the parity check matrix (H) matrix is

0 1 1 0 0 0 0 1 

and assume the received data is 0100 where a single bit error occurs on the second bit (from left to right).

Multiplying H.C_received, we get

            [0] [0 1 1 0] * [1]  = [10] [0 0 0 1]   [0]             [0] 

So the syndrome is not zero means there is an error in the received data. BUT, the value of syndrome 10 matches second and third column of the H matrix.

So, how do we find out exactly that the second bit is faulty?

Please explain how backup codes work in TOTP, like google Authenticator

My understanding is that in TOTPs are like HMAC where code is derived from time.

However, I am struggling to understand the concept of Backup Codes in google Authenticator , and how are they calculated as they are not time sensitive and can be used in any sequence . So how google has implemented that? Thanks

Why do GoDaddy customer support representatives ask for two-step verification codes?

When contacting GoDaddy customer service, whether over chat or phone, they often ask for both a PIN and a two-step verification code (which they confusingly refer to as “google auth codes”).

Then PIN can be found when you log in to your GoDaddy.com account, but the two-step verification code is something you’d need to get from whichever app, service, or hardware device you use to generate two-step verification codes (compatible options listed here).

Typically two-step verification codes are time-based one-time-use codes I’ve only used when logging in to my own accounts through my own web browser or mobile app on my own devices. I’ve never had any other customer service representatives from other companies ask for these codes. Usually they just ask for PINs (if the service is set up to use those).

Why would GoDaddy customer service require two-step verification codes? Are they actually using it to log in to your account on their end? If so, how could they do that without having your password? Also, is it poor security practice to require customers to share two-step verification codes with someone else in this manner?

I found this related question from someone concerned with customer service reps asking for PIN codes here, and people agreed that even that is poor security practice.

What’s the decoding time complexity of LT codes?

LT codes are practical fountain codes that are near-optimal erasure correcting codes.

Simply stated, for encoding a $ n$ -block message, each packet first chooses a degree $ d\in\{1,\ldots,n\}$ according to a specific distribution, and then $ d$ random blocks are xor-ed to create the packet’s message.

The analysis shows that $ O(n)$ packets that make to the receiver are enough for decoding, by allowing finding degree-one packets and xoring its content from all other packets that contain the same block (decreasing their degree by one).

What I haven’t found in Luby’s paper, or anywhere else, is the runtime complexity of the decoding. That is, what’s the overall time spend on computing the original message.

A simple argument shows that $ O(n^2)$ time is enough. Can we do better?

Do registration codes need expiry?

I work on an application where users are sent a unique registration code in the post. They use this, along with other personal information known to the user, to confirm the identity of the user upon creating a new account.

Does the unique registration code sent in the post need an expiry time (like after 30 days)?

The argument that has been made to me is that if there is no expiry then a fraudster has longer to collate the personal information about the intended user to confirm identity. Therefore, they argue that adding an expiry decreases the likelyhood of fraudsters creating an account posing as the intended user.

However, if that’s the case, I would imagine that having an expiry would make no difference. If a fraudster has intercepted this mail then the individual has been personally targeted and the fraudster would be able to obtain the personal information to request another code?

Adding two BCD codes

enter image description here

Why is the correction I showed on the picture there? I was teached that i have to do correction when the digit is bigger than 9 and it isnt.

Does it have anything to do that I carried number from there to next digit? But then I was teached that in BCD code I cannot say if correction is needed based on the carry, I can only do that in Excess 3 code.

I am getting very confused with those things and if somebody has one good place where I can get some info about subtracting those number that I would appreciate that. I can find many places but none of them are complete and somehow they are all different