Help with keeping account secure
I’ve been auditing my security setup and decided to properly migrate away from storing TOTP codes in my password manager (Keeper). Having credentials and OTP in the same vault defeats the point of MFA, so I’ve built a tiered migration plan across ~230 accounts.
Hardware - each key held in a separate location setup and rotated around when required to add keys to see ices.
•2x YubiKey 5 (black) — FIDO2 + TOTP (32 slots each)
•1x YubiKey Security Key (blue) — FIDO2 only, no TOTP
The tiers
Tier 1 — Passkey/FIDO2 (unlimited, all 3 keys)
Any service supporting FIDO2 or passkeys gets all 3 keys registered. No slot cost, phishing-resistant, domain-bound. ~35 services including Microsoft, Google, Apple, Amazon, PayPal, eBay, Adobe, Atlassian, Xero, GOV.UK.
Tier 2 — YubiKey TOTP (32 slots, black keys only)
Highest value TOTP-only accounts. Banking, NS&I, mobile carriers, energy, hosting/infrastructure, HR systems. Slots ranked Critical→Low so the least critical can be evicted to Tier 3 if a higher value service needs a slot.
Tier 3 — Authenticator app
Lower value TOTP accounts. OTP still separated from Keeper, just not hardware-backed.
Tier 4 — Password only
No MFA available. Strong unique password in Keeper.
The sliding scale logic
32 slots is a hard ceiling. If a new high-value TOTP service appears, the lowest Tier 2 entry gets evicted to Tier 3.
If any Tier 2 service adds passkey support, it gets promoted to Tier 1 and frees a slot — pulling the top Tier 3 entry up.
Questions for the community
- Any services I might have missed that support passkeys that aren’t obvious? I need to cross reference more on 2fa.directory to be sure.
- Is there a better approach to the 32-slot ceiling than the sliding scale eviction model?
Comments welcome!