2FA - avoid lockout / chicken-egg problem

I’m trying to plan for potential lockout situations between my password manager and 2FA app and was hoping to get some advice. Here’s my current setup

Bitwarden
protected by master password to access any password
protected by 2FA code from Ente to login to the vault on a new device. Once logged in, 2FA is not needed

periodically backed up to my NAS

  • stores all passwords for every online service I use
  • stores passwords for all services I self-host on my NAS

Ente Auth (iPhone)
backups of recovery codes on my NAS
backups of all codes on my NAS

  • 2FA codes for all online services

NAS
VPN access outside of network
can SSH in – SSH key backed up in Bitwarden
self-hosted File Browser, and can view files via web interface – password for this stored in Bitwarden

  • stores backups of Bitwarden passwords & 2FA Codes (among other things)

Obviously, there’s a lot of inter-dependency here.

The most likely situation I can see happening is that I lose my iPhone (physically, or it dies on me). If this happens, I could be in a tough situation:

  1. If I’m already logged into Bitwarden on another device (ie Laptop), I get the passwords for my NAS file browser and access the 2FA backup codes
  2. If I don’t have access to my laptop (i.e I’m traveling) then I’m in a tough spot – I can’t access my NAS because the passwords are in Bitwarden. I can’t login to Bitwarden on a random device because I need the 2FA code, and I lost my phone

I see a few solutions to this problem:

  1. Since Bitwarden is so important in my flow, I should add another 2FA method to Bitwarden (ie Yubikey). This way, if I lose my phone or I’m traveling, I still have an alternative for my accessing my Bitwarden, and therefore, getting to my server to get backup 2FA codes for other services
  2. The NAS is another choke-point. It may make sense to use a passphrase that I can remember to access it. This way I don’t have to rely on BItwarden
  3. As a final resort, having emergency info written down somewhere in my home (ie a safe) would be useful – master password, bitwarden recovery key, etc

Any advice would be appreciated!

I did this and it saved my life. I bought a biometric thumbprint yubikey (if someone steals it I’m not concerned). I was using Raivo OTP when their bug wiped all of my 2FA, including Bitwarden. I nearly locked myself out of everything if it wasn’t for my backup key.

The key saving factor here is that backups should be independent of one another. Specifically, the failure points should be isolated from one another. For example, having 5 backups on a phone means you have a single point of failure (SPOF), which is the phone. Having all backups in the same location is also another SPOF. Deciding your acceptable level of risk for backups depends on your threat model.

Its possible my yubikey could have broken and then I wouldn’t have had a 3rd failsafe. Nowadays, I periodically export Bitwarden to Proton Drive encrypted, so worst case is I may have a slightly stale backup (better than being completely FUBARd).

1 Like

Ah I didn’t know there was a Yubikey that supported Biometrics, good to know!

I will likely pickup a couple of these and have them as backup methods. I’ll also consider what you said about isolated failure points

Your set up feels too complicated for me but here’s what I do since you ask:

I have a very strong randomly generated password memorized. I use that password to open Ente Auth (with no 2FA) in which I store my Proton Pass 2FA with email ID, and my strong randomly generated Proton password in the notes section. This way, I really only have to remember by Ente Auth account username and password while even my password manager’s credentials are safely stored.

This may not be the best way to do it but I have it set up this way because of a redundancy where if I end up losing access to all my electronic devices, security keys, and everything else - I can always get a new computer and get access to all my accounts no matter what happens.

Another way I used to do it is this: I still store my Proton 2FA in Ente Auth but I do use the same but strong randomly generated password that I have memorized for Enete Auth and my Proton Pass. This would also give the same redundancy I value.

Also, I get to access Ente Auth on any computer and browser which is fantastic. You don’t even need a phone to get your 2FA info or any other account details you may have stored within it.

I consider this system a fool proof for my threat model and I’m sure this would apply to a lot of people’s threat model. And it’s also a unique way of setting it up that I haven’t heard anyone suggest before but this is what I cam eup with and it works well for me.

1 Like

Keepass was my password manager but I decided to give Proton Pass a try.

I continue to keep Keepass updated so this is the ideal place for me to keep Proton’s login, including it’s 2fa.

Perhaps there is another password manager or 2fa app you can install on multiple devices?

Yubikey Series 5 for passkeys

& for backups-

https://x.com/securitybrahh/status/1714280665603363252