Follow

Nice little feature of Bitwarden:

vault.bitwarden.com/#/tools/in

Check what services you are registered to have 2FA options and check the instructions on how to enable them.

I wouldn't recommend to store your 2FA credentials along with te passwords in Bitwarden, but checking once a year, where you can set up new 2FA is definitely recommended!

@sheogorath I do store my 2FA creds in Bitwarden, the convenience outweighs the risks for me. 👌🏻

That being said, Bitwarden reports are great! They’re reserved for Premium subscribers though but $10/yr is so ridiculously cheap 🤗😍

@Crocmagnon Oh, I wasn't aware it's a premium feature. Anyway, yes, I can understand why people want to store 2FA along passwords, but still can't recommend it, because it takes the 2FA out of 2FA :D

I use a different system to achieve the goal. For one, I use AndOTP which allows easy and secure backups, then again, I store my backup codes in an offline password safe. And for convenience, if possible, I use FIDO2/U2F instead of TOTP.

I noted some parts down a while ago: shivering-isles.com/Why-I-use-

@sheogorath your system seems quite robust! 😊

> because it takes the 2FA out of 2FA :D

Well I wouldn’t be so sure. If for example your password leaks because the service did a bad job protecting it, 2FA still protects you. Unless the 2FA secrets leak alongside the password DB but in this case it doesn’t matter where *you* store them.

@sheogorath Also if for some reason you reuse your password (don’t do that), and a reused version is leaked, you’re still protected by 2FA, wherever it’s stored 😊

IMO the only time your 2FA secrets are not safe in your vault is if your vault itself becomes compromised, but I’ll have bigger problems to take care of it this happens.

At least that’s *my* threat model, I don’t expect everybody to agree 🙂

@Crocmagnon the goal of 2FA is never to protect from service compromise. It's always client compromise.

And client compromise in case of a website can be either your browser which is not that uncommon or the browser extension, which we have seen a lot in the past, just look at LastPass and Project Zero a few years ago. Maybe your entire OS is compromised.

And that's the risk you have to assume. And that's why you should use 2 very different devices for proper 2FA.

@sheogorath

I would disagree. 2FA doesn't protect against a compromised client. It just adds another layer to the authentification process for the service to make sure that you have not only the right credentials (could be leaked), but also the correct 2FA token. This makes it way more difficult for attackers.

A compromised client could ask for your 2FA token and forward it instantly to the correct site to lock you out of your account.

Opinions?
@Crocmagnon

@sheogorath
Small addition: 2FA protects against keyloggers and shoulder-surfing on the client system. Just for the protocol :)
@Crocmagnon

@hejowhat @Crocmagnon All in all, yes. But not always is the goal a full account takeover. There is actually not much benefit for an attacker on a compromised client by locking you out of your account. They can just use your session to stay undetected and mix up with legitimate use. Stealing your credentials however, if both are present already, still be lucrative. Especially with password safes it's a keys to the castle situation.

@sheogorath
I mean, they lock you out to gain some more time to do their shenanigans. The actual damage depends on the service that got compromised. I could imagine that Bitwarden is the worst-case scenario.

@Crocmagnon

@sheogorath on the other hand, I would never use a password manager that doesn't store my 2FA.

The first time you lose access to your 2FA because the app "helpfully" doesn't let you back them up or transfer them to another phone will either be the point where you consider 2FA to be too much of a risk or you will decide it must be in your password manager
@feld @sheogorath just use 2FA otp-generator that does let you export its secrets
@hj @sheogorath I don't want exporting, I want syncing.

What if the 2FA app on my phone is unavailable because my phone was just run over by a truck? Now I have to get a new phone and restore my secret keys for the 2FA?

Instead of just being able to get my 2FA from:

- my desktop app
- my browser extension
- my iPad
- the web interface of my password manager
- another phone that already has it synchronized

If anyone really thinks having your 2FA in your password manager is that dangerous, please hack me: https://pw.feld.me/

There's my BitWarden, I look forward to this person successfully retrieving my database and then successfully decrypting it.
@feld @sheogorath it's not dangerous, it just just goes against the point, storing both factors in one place essentially turns 2FA into 1FA for that place (either syncing OTP or storing password db on phone).

Recovery codes were made exactly for "my phone was run over by a truck" cases.

Reality however isn't as cool as security specialists envision it and 2FA really does turn into 1FA most of the time.

Still, if you have two locks on your door intruders have to break both of them if they don't have your keys, even if you carry both on same keychain.

I mean concept of "storing all passwords in same database" is also not a good security practice either but it has its benefits.
@feld @sheogorath also if you want to sync passwords and otp i recommend using KeePassXC with something like SyncThing.
@hj @feld @sheogorath

keepass + syncthing is my setup exactly. p nice, my wife uses it too.
@hj @feld @sheogorath

i haven't fully migrated just yet, but i'm thinking about going with a cheap u2f key for second factor.
@xj9 @hj @sheogorath I also have a Yubikey but I don't use U2F with anything because it's so poorly supported. Didn't have good browser support for ages, too few sites support it. I also don't want to deal with needing it on mobile.
@feld @hj @sheogorath

like i said, its a process. only using the key in places where it makes sense. there are plenty of things that my phone doesn't need to do though.
@hj @sheogorath it doesn't turn it into 1-Factor. It's still 2-Factor. Two pieces of data are required: password and the OTP code.

If someone intercepts my password, they don't get access to my OTP codes.
@feld @sheogorath depends on how you look at it.

If you only store passwords in your database - if it gets stolen and hacked - they still have to figure out your OTP.

If you store your OTPs and passwords in your database - if it gets stolen and hacked - they have both OTPs and passwords (duh), no more factors to pass.
@feld @sheogorath Same there, password manager is a storage for secrets.

2FA is just there so that even if there is a database dump it should be harder to reverse as IIRC for some 2FA the server basically just has a public key.

@lanodan @feld Sadly completely wrong. In case of TOTP the secret has to be stored in the database plain, or at best encrypted, to validate the submitted code. Different story for FIDO2/U2F but that's nothing you can store in a password safe (if done correctly)

TOTP is shared secret based, so no benefit there. The only benefit you get by using 2FA is that reused passwords/password stuffing attacks are less useful or re-auth after MITM is "safe". But otherwise, no benefit.

@sheogorath @feld Yes, TOTP is based on shared secret but IIRC that's the only one.

And 2FA is much older than just the modern things we've seen appearing since ~2012 on that strange world that is the web.

@lanodan @feld Agreed, but what other 2FA method is integrated into passwordsafes these days?

At least all I know only implement TOTP and some derivates of it. But I'm always eager to learn :)

@sheogorath @feld not really in passwordsafe, I have those in mine since they are just files but some platforms are using certificates (that can be password-protected) to identify you, a know one is mumble and I think it was world of warcraft that was also known for doing that.
@lanodan @sheogorath @feld most of these things (before fido/u2f) are based on some shared secret and symmetric crypto, it's cheaper to do it in a smartcard or some other shit like a token

(also not completely true the secret has to be stored, it can be for example derived from some master key, but that doesn't necessarily change much)

@feld I can highly recommend using a second, offline password manager of 2FA backup codes (as an alternative to writing them down on a piece of paper) as well as using an app like AndOTP, which works wonderful and provides secure backup functionality.

Some hints about that: shivering-isles.com/Why-I-use-

@sheogorath I just save the 2FA backup codes in the Notes field in my password manager

@feld So you safe your password, your TOTP keys AND the backup codes in the same place? what if you ever loose access to your password manager? Start over your (online) life?

@sheogorath why would I lose access to my password manager? I have it backed up with the rest of my data in like 3 places, plus I always have a full offline copy of it on like 7 devices

@feld Murphy's law? :D I'm just asking questions. If you feel like it's all perfect, sure go ahead, no one will stop you. Just pointing at potential breaking points.

And one reason might be a format change, so make sure you also make a backup of your password safe software. Plus all depending libraries, plus a window system and maybe a kernel 😉

@sheogorath my password safe software is one Rust binary and one sqlite database file (bitwarden_rs)

@feld I can recommend this article: bxbrenden.github.io/ Just in case you are unaware of how rust binaries can still have native dependencies.

@sheogorath it's ok, it runs isolated in a FreeBSD jail so it won't be affected by unrelated updates. The libraries it depends on are always available on FreeBSD, even if I upgrade my OS. We have "compat" packages that install older versions of system libraries to guarantee that the software will keep running indefinitely. (you can still run FreeBSD 3.x binaries from the 90s on a modern version of FreeBSD without recompiling the software)


Here's the list of linked libraries:

./bitwarden_rs:
libssl.so.111 => /usr/lib/libssl.so.111 (0x800670000)
libcrypto.so.111 => /lib/libcrypto.so.111 (0x8020c5000)
libthr.so.3 => /lib/libthr.so.3 (0x800708000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x800735000)
libc.so.7 => /lib/libc.so.7 (0x80024e000)
libm.so.5 => /lib/libm.so.5 (0x80074f000)

@sheogorath nice, I'm on LastPass and considering other options, this is a great feature!

Sign in to participate in the conversation
Sheogorath's Microblog

This is my personal microblog. It's filled with my fun, joy and silliness.