What is a good way to backup the TOTP codes/recovery codes? Another Flex? Or save the recovery codes in plain text elsewhere?
Another chip is a good option, personally I store the TOTP secrets (i.e. what is encoded in the QR code) plus the recovery codes in my KeePassXC database.
Print out the qe code pages to paper and put in a drawer offline.
I do have two apex chips for this purpose… righty and lefty
Just a quick note for anyone who stumbles upon this: KeePassXC is able to properly store TOTP secrets (and also generate TOTP codes). You can use a small shell command in Linux to mass import these TOTP entries from KeePassXC into the OTP applet on the Apex:
keepassxc-cli export -f xml /home/user/Database.kdbx | xmllint -xpath "//Key[text()='otp']/following-sibling::Value/text()" - | xargs -l ykman -r "READER_NAME" oath accounts uri
If your KeePassXC database is secured using the HMAC-SHA1 Yubico-style protocol as well, add e.g. -y "1:12341234"
to the keepassxc-cli
command, 12341234
being the serial number of the key (displayed in KeePassXC) and 1
the slot to use.
You also have to replace the path /home/user/Database.kdbx
with the path to your KeePassXC database. In addition, the READER_NAME
string has to be relaced with the name of the PC/SC reader you use, you can look those up by running pcsc_scan
.
In terms of requirements, you will need yubikey-manager
CLI tool, and the libxml2
tools.
Also, just as a final note: I do not recommend storing these TOTP secrets in the same database where you store the associated passwords for these accounts.
I just print out the backup codes or the TOTP secret.