Password and Authenticator Strategy + Backups. Need advice.

My main goal is to setup things in a way that can be recoverable in case something happens to my device. I also want to avoid circular dependency, or the chicken-egg problem so to speak as I will have 2FA placed on my password manager.

Passwords:
Setup two passwords manager, Proton Pass for services, and Bitwarden for emails.* Pass credentials will be stored in BW, and BW password will be memorised. After setup, export unencrypted .json files and import them to KeePassXC, within an encrypted storage device, updated every few months. The password will remain same as that of BW. Backup purposes only.**

2FA:
Setup Ente Auth, with webview enabled, on a separate device which doesn’t have password manager. The seeds (+ente plain text export) will be backed up in a Standard Notes account, with no 2FA whatsoever. This is the second password that needs to be memorised, both Ente and SN will have same passwords. Backup will be updated alongside BW.

Emergency Contact:
This is for last resort purpose. To access the BW vault, another BW account will be setup, and designated as trusted emergency contact. Its every detail would be stored on a paper, with a long wait time setup for it to be able access the vault.***

*The use of Proton Pass is for services, or day to day stuff I need to login. I need to use biometrics for convenience, and I can’t have my emails stored in this manner, thus the compartmentalisation. Feels redundant, but it’s for my peace of mind.

**To reduce friction, I’m also thinking of just straight up exporting encrypted backups of BW and Ente, and uploading them to both cloud and locally, but then I will be bound to the respective apps. Not sure.

***Ente password still remains an issue. One mitigation is to include the salted Ente password in the vault and have the salt in emergency contact vault. Also the reason I didn’t go the usual emergency paper route is that I just find it to be too insecure. Some may disagree, but it’s beyond my comfort zone and threat model. There’s also the issue of losing the emergency contact, for which I’m thinking of making two, giving access to separate family members. The account will be tested if working as emergency contact every few months.

I still don’t have a solution to recovery codes. They bypass everything so to store them in BW means I reduce the 2FA to 1FA but idk. Perhaps I can salt them too but then where do I store the salt?

The whole strategy is somewhat convoluted, I agree. but over the years I just couldn’t subscribe to the norm. Maybe I’m being too paranoid, but I guess that’s that. Any advice is appreciated, granted it doesn’t attack the core structure, thanks.

Bitwarden + Enthe. Great setup.

My easy and best set up suggestion here is to use your password manager and the 2FA auth feature within it. It’s the simplest way to ensure you never lose access to things.

People will say there are pros and cons and that 2FA should always be compartmentalized elsewhere. There are pros and cons to everything so this logic doesn’t apply in full as I see it.

You just have to be absolutely sure to remember your username and password for your password manager and that you have a strong and unique password for it that you are not using anywhere else. Doing this should not require 2FA for your password manager as your password itself is highly secure. For all other account credentials stored within, you can of course set up 2FA.

My personal reason which may also resonate with you for why I here do not suggest setting up a 2FA for your password manager is for the absolute worst of cases. Let’s say you lose all your devices and back up info. How do you get into you password manager that will also help recover all your other accounts? If you keep setting up 2FA for everything, you’ll also need one for your 2FA app like Ente. And round and round we go.. like you yourself suggested.

So.. that’s my advice. Hope it makes sense. But calibrate this for your threat model and do what’s best for you. Seems like you know enough about pros and cons already.

This may or may not suit you…

One of my ideas for a singular master pass phrase is instead of pen and paper, buy a fire/waterproof crypto currency seed phrase protector.

It’s basically a closable compact steel wallet that comes with a bunch of letters you place in one by one according to the seed phrase or this case a pass phrase. Just keep the left over letters in case you ever change that master pass phrase of whatever you are trying to protect.

For the longest time, I was doing just that until Bitwarden forced email 2FA on users, after which I’m reluctant to return to same old strategy. At some point, you have to take the jump, but I understand what you mean.

Well, there is a reason why I have this view. And for me and that reason, my way works. But as long as you know what you’re doing, that’s all that matters.