I'm trying to figure out how to manage two-factor authentication (2FA) while traveling without my primary phone. It would be great to have a TOTP app that can show incorrect codes if the wrong PIN is entered multiple times, while also wiping the real configuration silently. Even if I have a burner phone, using SMS isn't an option. I'm curious if a 'booby-trapped' authenticator could actually exist!
3 Answers
You might want to consider using Passkey instead. Basically, your phone acts as the authenticator, so as long as you don't enable biometrics, customs would need probable cause to access it in the US. Plus, since the key materials are stored in an encrypted enclave, you shouldn’t have to worry about them being cloned. If you're really concerned about security, a Pixel phone with GrapheneOS could be worth looking into—it allows you to have a separate volume with different PINs for sensitive data.
What you're describing is known as a duress code, and it could definitely be useful in situations like this. The downside is that most mainstream apps don't support this kind of feature, as it's a bit complicated for the average user.
What exactly is a Yubikey?
Yubikey is a physical device used for 2FA, but it's not ideal for travel. If customs agents catch you with it, there's less room for plausible deniability. I'd prefer something that looks like I'm cooperating instead!
I'll definitely check out GrapheneOS! My bigger concern is about what's at stake while traveling abroad.