Privacy @lemmy.ml ramble81 @lemm.ee 3mo ago

Traveling internationally (question)

So I’ll be traveling in such a way that I’ll be crossing the US border. I want to take a burner phone so I can wipe it, or have innocuous enough data. The problem: all my passwords are stored in a password manager that uses 2FA tied to my primary phone which will be sitting at home (along with other sites that use 2FA tied to authenticators on my phone).

So remembering passwords is out. And not having access to 2FA presents a catch-22. So what’s the best way to approach that?

26 comments

This tells me that you'd be in a lot of trouble if you lost your phone or had to wipe it because someone got into it. It's probably good then that you're now thinking about this so you can prepare for a time when you won't have your phone for other reasons.

All sites supporting 2FA usually allow you to use a second method. Email is usually an alternative. Assuming that your email is your universal second OTP method, you just need to make sure you will always have access to your email account and you'll be fine. So just solve for the OTP problem for your email account.

Pre-buy your burner phone and make it a second OTP device for your email account. For more assurance, buy a couple of physical keys (like Yubikey) that can be used with your email account. These can also be set up for some of your other accounts that support it, which may be more convenient than email when accessing them.
Assuming your 2FA method is TOTP. Back up the 2FA keys to an encrypted file, with a long passphrase. Take it with you (or store it in the cloud, in this situation this is possibly safer). The when you need them just

install a TOTP app

import decrypted keys

login to things. Then when you’re done logout of things and delete the TOTP app.
- I like this. Australia has draconian phone search laws when entering, so I might adopt this in the future on principle.
  
  What happens when you get in? You need to let them access everything ?
  
  Does everyone's phone get searched or is it still random or profiling?
- Saved.
- Can't access the cloud without my passwords!
  
  Guess I'll be traveling with a handful of USBs with my encrypted totp keys.
  
  Also, my phone has a duress password, anyone know if I could just get away with traveling with my phone as-is and just giving them my duress PW if need be?
  
  Phone runs graphene os
Thanks for the suggestions. Here is what I’m probably gonna do:

Upgrade BitWarden to premium

move my TOTP codes into there

Get a Yubikey for 2FA for it

Keep a second 2FA TOTP option available in case I lose the key

Then all I’ll need to do is reinstall it, and log in with the master password and key and be good for any of my sites.
- Perhaps you could also print an encrypted version of your Bitwarden TOTP secret on a QR code and bring it with you in your luggage?
  
  So, encrypt the secret with a passphrase you can remember, encode the entire thing in a QR code and print it on a piece of paper. Easy.
- I do this as much as possible, though I have a self hosted VaultWarden instance. I really wish more stuff supported TOTP or Yubikey. There's still a ton that only support text or email which just puts a big old hole in the security, IMHO.
Post the phone to yourself?
I carry a yubi key to unlock my password manager. (Probably shouldn't have said that) If you have a form of 2fa they wouldn't know about, that might help you
- Having a Yubikey isn't supposed to be a secret. Security through obfuscation is poor security.
  
  It wouldn't be much of a secret anyway, since your device would say something like, "Please present your hardware key," when logging in. If OP had a Yubikey with them, ICE could simply search them and use it themselves.
  
  Yubikeys are excellent against digital attacks but not physical ones, since it's akin to carrying a lock and key together.
  
  Use it themselves
  
  That’s why a Yubikey is a 2nd factor. You still also need a password which you are not legally bound to divulge (in the US). Additionally if you uninstall your pw manager in advance they may see you have a key but they don’t know what it belongs to.
  
  Security is about making it harder for the bad guys to get to what you don't want them to get to. If they were sufficiently determined, sure they could get to it, but it is another layer. And one they may not expect, or if they were not sufficiently trained, what to do about.
could you store them through physical means? if so, consider what passwords you'll likely need (if you can't write all/most of them) and put them in a notebook? not qualified to speak on this at all btw just spitballing
- Bad idea (assuming you write them down in plaintext)
  
  The notebook can be read
  
  tbf I'm not exactly sure what their threat model is, I dont know if theyre worried about having a notebook looked at vs online gov snooping etc
So your password manager uses your phone as 2FA, and the credentials inside your password manager also use your phone as 2FA? Hmmm...

So essentially, you can't bring your phone, that's the main issue. Does your authenticator on your phone support exporting a backup? Then store that in your password manager if that's possible and set up an alternative 2FA for your password manager (SMS on the burner phone number perhaps or a security key). Then when you arrive, reinstall the authenticator on your burner phone and import the backup.

26 comments