It depends on your DNS provider as to if they support it or not. Often, they will not and you'll simply have to run your own dns nameserver (bind) with a wildcard config, such as http://community.aegirproject.org/dnswildcard ... Googling around will find you many bind configurations and discussions of this feature.
Have the glue record for a/your domain (e.g. c.uk) point to your own nameserver. Configure the nameserver to respond to any request for an A or AAAA record under that domain with the target IP address. Make the HTTP server listening on that IP address answer regardless of the Host header.
Does anyone have a good way of storing recovery codes? I currently keep them on paper, in my wallet, but with more and more sites using 2fa I'm having to carry more and more recovery codes around.
This may sound extra paranoid, but I've locked myself out of 2FA'd accounts before and recovery is not fun, so I go out of my way to keep the recovery codes secured but available to me in case of catastrophe.
First, I make an encrypted disk image with a very strong, unique passphrase (easy on OSX, not sure about windows). In this I put the QR setup codes and my recovery codes. I put a copy of this on every device I own, every computer I own, stash it in my home directory on my server, and put it on dropbox. I then share the dropbox copy to two friends, and instruct them to hold on to it in case I lose access to all my devices. Any time I enable 2FA on a new account, like I did today, I update the image and redistribute it.
I previously kept a copy on github as well as dropbox, but now that both are behind 2FA I wouldn't be able to recover from those sources if I lost all my devices. Maybe I should push a copy to pages.github.io under some secret path that only I knew.
Oh, and check out BitTorrent Sync, it makes it really easy to distribute among my computers and phone without worrying about dropbox somehow losing my files or preventing my access.
Screenshot all QR codes and store them in Dropbox, which also has 2-factor authentication. Store recovery code for Dropbox in Google Docs, which also has 2-factor authentication.
So for me to be totally screwed, I would have to lose my phone and have my logins expire on both Dropbox and Google.
Actually, I disagree with you here (because what hasn't happened to you has actually happened to me).
I was robbed at gunpoint, the perpetrator took both my phone and my laptop (the only computer authorized to login), which was the only computer that had a non-expired login.
I print out all the codes, stored them in a secure place in my house (with things like my passport). For the truly paranoid, get a safe, or a safety deposit box at a bank.
Not to mention the much more likely attack vectors with this approach over a safe/deposit box based approach (which you might be alluding to):
- This has a big assumption that 2FA cannot be bypassed AND other service exploits
are not possible. The recent Dropbox security paper showed this was possible:
https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdf
- Device stolen/lost/hacked with active logins to said services OR local copies of said 2FA
recovery codes? Eek!
- Our friends at the NSA love that you use Dropbox to store this versus a more
secure service like SpiderOak.
