2FA best practices?

What is the current consensus on this?

I’m already an ente photos user so I was considering ente auth, but if I stored my bitwarden totp inside ente and locked ente with a hardware key, I’m not sure how that really differs from storing all my totps in bitwarden and just locking that with the hardware key instead.

I like the idea of cloud backups since you don’t have to worry about device loss or damage.
But you would want 2FA on your 2FA in such a scenario.

I can’t use the yubikey by itself as I have more than 32 codes.

What is everyone here doing?

1 Like

I use KeePassXC and store my passwords and TOTP in there. I do also use a YubiKey 5 to lockdown my KeePassXC database. So my TOTP and passwords inside are protected by the master password and a YubiKey. I only have the necessary accounts, so only one is secured by TOTP. The rest either don’t support 2FA, use SMS 2FA or they support hardware keys.

I guess the best practice would be to separate them, but I am not going to do that only for one TOTP code.

This is the digital privacy community… I’m not sure there has ever or will ever be consensus on anything :smiley:

What is everyone here doing?

My current approach is 3 layered:

  1. High Security

    • Method: Hardware Security Key (FIDO2 U2F)
    • For: Core accounts where security matters most (password manager, primary e-mail, a couple other things)
    • Backup Strategy: rotation of 3 hardware keys, one on me, one nearby, one not nearby.
    • Why: Highest level of security for my most important accounts (phishing resistant, malware resistant)
  2. Medium High Security:

    • Method: TOTP stored in Bitwarden (online), and a dedicated TOTP mobile app (offline)
    • For: All other accounts where 2fa is important. But where I want a compromise between high security and convenience.
    • Backup Strategy: TOTPs are backed up as part of Bitwarden encrypted vault backups (ideally should be backed up to 2 different places)
    • Why: If I had to use a hardware key (or even a TOTP mobile app for all my 2fa, I would probably disable it on many of my accounts due to the added inconvenience. Storing my TOTPs in Bitwarden, gives me almost the same level of practical protection as a dedicated app or even a hardware key, without the inconvenience. My reason for the redundance of online and offline TOTP is simply the ‘belt and suspenders’ approach.
  3. Default (low-ish) Security:

    • Method: None. Either no 2fa, or whatever the default 2fa option is (e.g. e-mail)
    • For: Anything that doesn’t support stronger 2fa or isn’t important enough for me to care about 2fa.
    • Backup Strategy: None

Actually it seems like the latest version of the yubikeys supports 64 totp codes, so maybe I could just do that and keep paper backups of my backup codes…

One thing I’ve never been 100% clear on (mostly just because I never looked into it) is what practical advantages does using Yubikey + Yubikey Authenticator have over other 2fa options.

What leads you to preference this over (1) Yubikey FIDO2/U2F, or (2) Storing TOTP in the Bitwarden Vault?

The only reason not to store them in bitwarden would be eggs and baskets.

However yubikeys introduce their own problems re: backups since you can’t export the codes.

Is storing them in bitwarden and locking that with the yubikey actually any worse than keeping the totp codes on the yubikey?

In either scenario an attacker needs your key. In the former they need your bitwarden password, and in the latter they need your yubikey pin.

So maybe there is no practical difference. Someone correct me here if I’m wrong.

Yubikeys are a separate physical device whereas the bitwarden codes are on your phone. The non-exportability of 2FA codes from a yubikey are therefore an important security measure to ensure they can’t be maliciously extracted from the yubikey.

1 Like

But what attack are you actually protecting against vs. locking your bitwarden account with the yubikey?
Either way you need the yubikey to access the codes.

Bitwarden auth stores codes on your phone locally. It does not ask for the yubikey after your first login. If someone swiped your phone while it was unlocked, the attacker would only need the bitwarden password.

You need the Yubikey to download Bitwarden/Ente vaults to your local device, after that the protection of either depends on the device/app protection.

For convenience, people keep TOTP in BW because BW will fill the credentials in automatically/semi-automatically. But if the attacker has your device, can unlock your device, can unlock BW (most likely another PIN or an additional biometric authentication), then they can access the accounts that have also TOTP secrets. However, people who use hardware keys will also not store TOTP with their important accounts because they also use hardware 2FA for those.

For additional security (or because it’s free), people will keep TOTP secrets in a TOTP app such as Ente. In this case, people can achieve additional security by protecting access to Bitwarden and 2FA app differently, such as 2 different PINs. They rely on the OS protections such that even if the phone is unlocked, the unecrypted Bitwarden/2FA app vaults cannot be extracted.

As far as I’m concerned, I’ve put all my TOTP accounts on Aegis (while waiting for Bitwarden Authenticator to mature) and Yubico Authenticator to access Bitwarden’s TOTP only, as this is my most important account to secure.

Since the latest firmware has 64 slots I will probably get a new yubikey. I’m just not sure how to backup the seeds/recovery codes. Either paper or a local keepass vault?

Very wise words.