On Sun, 3 Apr 2022, at 12:07, Ben Denhartog via aur-general wrote:
2) Use a proper password manager to store your OTPURI and generate the tokens, as well as for storing your recovery codes. I'd recommend gopass if GPG, self management, and VCS sounds appealing, and 1Password if you'd rather have someone else handle the technicals.
Storing the password and the TOTP secret in the same password manager moves both factors into the same store, kinda negating the point of using two-factor.
3) WEB3 aims to provide such decentralized login based on some device you control as you are saying you want. Whether or not it replaces the current authentication model is another matter entirely.
So, something like a Yubikey using WebAuthN/FIDO? This is not uncommon online, and very handy since the second factory is a fully-offline device which requires a physical tap to log in. I see keycloak DOES support this; maybe it's a matter of enabling it? -- Hugo Osvaldo Barrera