I've been thinking a lot about maintaining access to our root account securely, especially after reading some posts about people losing access. Currently, we've set up a hardware token stored securely in a lockbox for emergencies, and we primarily use an authenticator app on three phones—two are mine and the other belongs to my business partner. We both know the password, which we change with each use, but that happens only a few times a year. I'm considering moving the hardware token offsite, like to a bank vault, to reduce the risk of having everything in one place. Am I worrying too much? How many MFA devices do others use to ensure access while keeping it secure and not overly complex?
6 Answers
For my setup, I'm planning to use just two phone authenticators, but I might add a hardware token to enhance security. By the way, which hardware token did you go with?
In our organization, we use CyberArk, so I guess you could say we have two main MFA methods: a physical key and the CyberArk MFA vault.
You're definitely not overthinking it; it really comes down to how comfortable you feel with your setup. A good tip is to verify that the email you use for your root account isn’t linked to any DNS domains hosted in your own account. For example, I have mine tied to a Gmail with extra protection, and I only use that for security-related purposes.
Honestly, I’d register as many devices as you can and make sure to test them regularly. I see it as part of my responsibility to ensure our backup access methods are always operational.
I’d suggest adding at least a couple more authenticators to your setup. Spread them across different devices so you have backups if one phone goes missing. I think Google has this thing called a security key that could work well as an MFA option.
I find it interesting you have both a hardware token and phone MFA. I’d personally go with Yubikeys for everyone, especially those who aren't in IT, just to avoid any phishing worries.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures