You're right: In case of compromised tokens you of course have to replace them.
However not all providers provide backup methods, so it's me confident to login to an
account with the current token and create a new token. (Even that's often not
About not noticing when another backs your tokens up: Of course you have to lock your
phone with a PIN or padlock. That's where we have no influence - the user of course
has to secure the phone. Otherwise it's not better if the phone is stolen so the
attacker can not read the tokens more but just use the phones App. So if the phone is not
secured properly you should not recommend him to use FreeOTP at all.
Of course you could add another PIN to the app but I think that's not really
BTW I'm using they Android version - there is no backup method too.
And there is another (not such critical) scenario were backups would be useful: if you
switch to another phone, reset your phone or flash a custom ROM or something like this.
There no attacker has access, but you just want a backup for obvious reasons: to transfer
your tokens. (or to make sure that they are not completely lost if something should fail)
Subject: Re: FreeOTP Backup
Date: Tue, 18 Aug 2015 22:13:51 -0400
On Tue, 2015-08-18 at 21:10 -0500, Jonathan Brown wrote:
> I use the IOS of FreeOTP and love the app but would it be possible to
> add a backup option in case the phone gets lost or stolen? That is
> the only thing missing with this great app.
The problem is that if the phone is lost or stolen you don't want to
have a backup. Rather, you want to disable the token altogether (since
it is now compromised) and create a new one.
Similarly, if you can backup the token, then someone can compromise the
backup. For instance, if you left your phone on a table someone could
quickly perform a backup and then return the phone to you. You would
have no idea the key was compromised.
freeotp-devel mailing list