Up to yesterday, I used to run Aegis with my TOTP 2FA codes.
The big issue is that Aegis is local-only. My country is notorious for muggers, so if I crossed one, it’d be game over for all my online presence.
I had enabled backup to a local folder, but manually moving the backup files to my desktop and Proton Drive were a chore, specially when I add new codes constantly.
I switched to Ente Auth, with stores the codes in the cloud. The issue is, I need bitwarden to know email and password for this account… The same Bitwarden that requires the 2FA code…
Should I change my Ente password something I can remember by myself (not rely on Bitwarden)? Or should I go back to Aegis and make some change to the backup solution? Please help.
This is what we recommend because in addition to breaking the deadlock, it increases the surface area for attack. Both Bitwarden and Ente accounts now have to be compromised to result in an account take over (vs. just Bitwarden).
Alternatively, you could use either Ente or Aegis in offline mode.
You could also use syncthing to automatically sync your Aegis backup folder to another device. I’m pretty sure Aegis backups are encrypted though, so the deadlock issue remains, and your idea to use a memorable password here could still apply.
Use the same email for both, that’s one less thing to remember.
Ideally, two different passwords are the right approach. It helps to have it written down on a piece of paper, until it becomes muscle memory to type.
Practice the scenario of loosing your phone will also help you understand what to do in case it does happen, it’ll make things clear as to what you need to do or remember in such circumstances.
Aside of everything else said here, practice having a pair of USB hard drives with back up both the codes and your Bitwarden database that you update every other month, you should of course encrypt said backup with any of the tools recommended here.
Why not use 2 2FA maybe? One using Authy for only Bitwarden and protect it with SMS codes. Another one using Ente Auth for other accounts and protect it with a strong password.
If you have Bitwarden Premium, you could use a physical security key as your second factor for Bitwarden and eliminate the risk, just make sure you set up 2 or more security keys if you go that route.
The easiest thing to do is to write down the email and passwords for both accounts down. You also should write the BW 2FA recovery code down. You can still keep the email/password for Ente in BW.
If you ever get into a circular dependency issues, having all those things written down will break the dependency.
Some people recommended to write down the 2FA secret. However, my threat model does not accommodate having any kind of account details plaintext in a physical place.
The backup solution with Aegis and Syncthing worked well for me though.
It’s always helpful if you don’t just make general statements like that, but also write something about why that’s your opinion
This sentence alone doesn’t help anyone
Why should it be plaintext? Original plaintext can be altered with some reversible scheme that you keep in your head. It can have any level of sophistication, as long as you are able to remember it. Starting with simply reversing the characters or doing other permutations and ending with pretty much any algorithm. Sure, the algorithm in use should be easier to recall than some alternative ciphertext.
