I have a bazillion accounts that I don't log into regularly. Many can be
configured with email or SMS two-factor auth. Some can be configured
with other types.

I'm curious if people have opinions about what would be the best choice
for long term neglect. For this exercise, I'm less concerned with
security and more concerned with "I can successfully use it in ten
years."

Email, particularly to a hostname I own, is pretty good.

Email to my current ISP account is a very close second. (I've had this
address for ~ 24 years and there is little likilihood of the ISP going
away in such a way that email addresses would cease to work. Even if
the company went away, there are a lot of highly technical customers
who could band together to recreate it for email use, and the private
ownership is very friendly to customers.)

SMS, not as good. I've three cell phone numbers during the period of
time I've had my main ISP account. My wife has had four numbers in the
same period. Phone number portability is good, but probably wouldn't
be great if I moved out of country. (I have no current plans to do so,
but I'd also like to keep options open.)

Yubikey works great for day to day use. But for a ten year "set it and
forget it"? Too high a chance of me losiing it, or it breaking in two
to five years. I've seen photos of older ones beat up from years of use.

OTP tools like Google Authenticator and Authy also work fine for day to
day, but closed source and would seem difficult to migrate off of a device
and on to an emulated device.

So things to consider:
- If it is something I have to pay for as a subscription, what is the
likelihood of the thing still being available on the market in a
decade?
- If it is something I have to pay for as a one time purchase, what is
the likelihood I can still use it in a decade?
- If it is a free thing, can it be backed up and restored without help
from the a device or software maker?

Elijah
------
has not, eg, logged into gmail for the last two years

Eli the Bearded <*@eli.users.panix.com> writes:
> I have a bazillion accounts that I don't log into regularly. Many can be
> configured with email or SMS two-factor auth. Some can be configured
> with other types.
>
> I'm curious if people have opinions about what would be the best choice
> for long term neglect. For this exercise, I'm less concerned with
> security and more concerned with "I can successfully use it in ten
> years."

I think your analysis of the suitability of the different approaches is
sound, and the answer is that you have to see second factor migration as
a normal part of the security lifecycle, just like you occasionally need
to change passwords (e.g. following a data breach, or advances in the
state of the art in password cracking).

A handful of years back I went through my online accounts and closed
those I wasn’t using (where possible). If I need them again I’ll create
new ones.

--
https://www.greenend.org.uk/rjk/

Eli the Bearded <*@eli.users.panix.com> wrote:
> OTP tools like Google Authenticator and Authy also work fine for day to
> day, but closed source and would seem difficult to migrate off of a device
> and on to an emulated device.

G.Authenticator is difficult to migrate off, because as I understand
how it works that app disallows one to get at the underlying "secret
number" used for the TOTP algorithm, so one is "stuck" to that app
once one imports the QR code (unless one thought to archive the QR code
when adding it to the app).

But, if you have an android device, this one:

https://f-droid.org/en/packages/org.liberty.android.freeotpplus/

Handles TOTP, and allows you to, from within the app, create a backup
of the secrets data to either a JSON or a URI format file. The JSON
format preserves all of the internal app data, including the 'secrets'
from the QR barcode.

From there, moving the file off the device to a desktop would allow you
can backup the "secrets" however you wish in whatever secure manner you
wish, and having the secrets available would allow use of those
yourself outside of any app (i.e., on that desktop machine) with a bit
of programminng:

https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm

The algorithm is not hard to follow, and libraries for the hash used
exist for most languages one would use.

And, all the f-droid.org apps are opensource. FreeOTP+ is Apache 2.0
licensed.

Eli the Bearded <*@eli.users.panix.com> wrote:
> SMS, not as good. I've three cell phone numbers during the period of
> time I've had my main ISP account. My wife has had four numbers in the
> same period. Phone number portability is good, but probably wouldn't
> be great if I moved out of country. (I have no current plans to do so,
> but I'd also like to keep options open.)
>
> So things to consider:
> - If it is something I have to pay for as a subscription, what is the
> likelihood of the thing still being available on the market in a
> decade?
> - If it is something I have to pay for as a one time purchase, what is
> the likelihood I can still use it in a decade?
> - If it is a free thing, can it be backed up and restored without help
> from the a device or software maker?

Instead of SMS and mobile numbers you can use a VoIP phone, which is
much lower cost than mobile. SMSs can be forwarded to to email.
Prices went up 5 years ago, because of making VoIP numbers to pay for
911 costs. But costs are still reasonable. Keeping a US termination
number is just $15 per year, and you can use it for other things like
calling relatives.

Using a VoIP phone number abroad has the advantage that unlike mobile
it has no roaming costs.

I think Eli lives in the USA whose phone network does not have a
different prefix for mobile numbers, so they are almost
indistinguishable from landlines. Possibly some companies are
inteligent enough to discriminate mobile numbers (google? skype?, my
memory is fuzzy and I don't remmeber well), but that's not the case
for most companies (even big ones as Paypal). I can confirm that
Paypal US does not care about VoIP.

In Europe is different and mobile phones use different prefixes, so
possibly getting a mobile number on VoIP may be hard (I don't know,
since I never tried myself to that in Europe).