Nice little feature of Bitwarden:
Check what services you are registered to have 2FA options and check the instructions on how to enable them.
I wouldn't recommend to store your 2FA credentials along with te passwords in Bitwarden, but checking once a year, where you can set up new 2FA is definitely recommended!
@sheogorath I do store my 2FA creds in Bitwarden, the convenience outweighs the risks for me. 👌🏻
That being said, Bitwarden reports are great! They’re reserved for Premium subscribers though but $10/yr is so ridiculously cheap 🤗😍
@Crocmagnon Oh, I wasn't aware it's a premium feature. Anyway, yes, I can understand why people want to store 2FA along passwords, but still can't recommend it, because it takes the 2FA out of 2FA :D
I use a different system to achieve the goal. For one, I use AndOTP which allows easy and secure backups, then again, I store my backup codes in an offline password safe. And for convenience, if possible, I use FIDO2/U2F instead of TOTP.
I noted some parts down a while ago: https://shivering-isles.com/Why-I-use-multiple-password-managers
@sheogorath your system seems quite robust! 😊
> because it takes the 2FA out of 2FA :D
Well I wouldn’t be so sure. If for example your password leaks because the service did a bad job protecting it, 2FA still protects you. Unless the 2FA secrets leak alongside the password DB but in this case it doesn’t matter where *you* store them.
@sheogorath Also if for some reason you reuse your password (don’t do that), and a reused version is leaked, you’re still protected by 2FA, wherever it’s stored 😊
IMO the only time your 2FA secrets are not safe in your vault is if your vault itself becomes compromised, but I’ll have bigger problems to take care of it this happens.
At least that’s *my* threat model, I don’t expect everybody to agree 🙂
@Crocmagnon the goal of 2FA is never to protect from service compromise. It's always client compromise.
And client compromise in case of a website can be either your browser which is not that uncommon or the browser extension, which we have seen a lot in the past, just look at LastPass and Project Zero a few years ago. Maybe your entire OS is compromised.
And that's the risk you have to assume. And that's why you should use 2 very different devices for proper 2FA.
I would disagree. 2FA doesn't protect against a compromised client. It just adds another layer to the authentification process for the service to make sure that you have not only the right credentials (could be leaked), but also the correct 2FA token. This makes it way more difficult for attackers.
A compromised client could ask for your 2FA token and forward it instantly to the correct site to lock you out of your account.
@hejowhat @Crocmagnon All in all, yes. But not always is the goal a full account takeover. There is actually not much benefit for an attacker on a compromised client by locking you out of your account. They can just use your session to stay undetected and mix up with legitimate use. Stealing your credentials however, if both are present already, still be lucrative. Especially with password safes it's a keys to the castle situation.
@lanodan @feld Sadly completely wrong. In case of TOTP the secret has to be stored in the database plain, or at best encrypted, to validate the submitted code. Different story for FIDO2/U2F but that's nothing you can store in a password safe (if done correctly)
TOTP is shared secret based, so no benefit there. The only benefit you get by using 2FA is that reused passwords/password stuffing attacks are less useful or re-auth after MITM is "safe". But otherwise, no benefit.
@feld I can highly recommend using a second, offline password manager of 2FA backup codes (as an alternative to writing them down on a piece of paper) as well as using an app like AndOTP, which works wonderful and provides secure backup functionality.
Some hints about that: https://shivering-isles.com/Why-I-use-multiple-password-managers
@feld So you safe your password, your TOTP keys AND the backup codes in the same place? what if you ever loose access to your password manager? Start over your (online) life?
@feld Murphy's law? :D I'm just asking questions. If you feel like it's all perfect, sure go ahead, no one will stop you. Just pointing at potential breaking points.
And one reason might be a format change, so make sure you also make a backup of your password safe software. Plus all depending libraries, plus a window system and maybe a kernel 😉
@sheogorath nice, I'm on LastPass and considering other options, this is a great feature!
This is my personal microblog. It's filled with my fun, joy and silliness.