Did Passbolt Forget about MFA?
Ғылым және технология
Sponsored: Get 20% off Passbolt with code PRO-TECH-SHOW
Passbolt is an open source password manager, focused on strong security rather than raw features - something that should be in the forefront of our minds following the recent hacking of a popular alternative.
Until recently, Passbolt drew flak for not providing multi-factor authentication in their free tier; but all is not as it seems. Let's look more closely at Passbolt's security.
Video sponsored by Passbolt
🔑 www.passbolt.com/
Ranking different types of MFA
📽️ • MFA/2FA Showdown: Whic...
💬 Follow Me
/ andrewmrquinn
Video timestamps:
0:00 - Introduction & controversy
2:14 - Passbolt's website was wrong?
2:56 - How most password managers protect your data
3:47 - How Passbolt protects your data
7:59 - How secure is Passbolt's authentication?
13:14 - Should you use Passbolt's MFA feature?
14:27 - What's the trade-off?
16:53 - Reasons to upgrade
17:34 - Code audits
#PasswordManager #CyberSecurity #Passbolt #MFA
Пікірлер: 14
One of the best explanation of passbolt security model! 👏
@ProTechShow
Жыл бұрын
Thanks Remy
Fantastic video thanks. That's makes it so much clearer
@ProTechShow
Жыл бұрын
Thanks!
Interesting. In the future, when covering something like this that we would consider hosting, can you cover, just briefly, deployment options (do they maintain container images? RPMs? Debs?), resource use, (just a rough approximation for minimum expected) and technologies used (what's it built in? Which ecosystems do I need to be listening to for incoming vulnerabilities and the like?)
@ProTechShow
Жыл бұрын
Good feedback, thanks. The short answer to most of those questions is "yes". There are install guides for various distros, Docker, source, etc. here: help.passbolt.com/hosting/install
14:17 is the Yubikey Bio FIDO2? I think it's just Fido
@ProTechShow
Жыл бұрын
It's FIDO2: www.yubico.com/store/compare/
I really think Passbolt are aiming at business users i.e. not community users.
@ProTechShow
Жыл бұрын
I think the split between free and paid features is pretty logical. Some companies offer a "community" version that is basically just a nerfed trial; but Passbolt's community edition has everything that I'd expect to matter for an individual, and the paid features are all around managing multi-user access such as you'd have within a business. The commercial edition is clearly aimed at businesses rather than individual consumers, but for the kind of individual who would self-host their own server the community version is perfectly fine. I wouldn't recommend the community version for a business of any significant size, though. As indicated in the video I consider the activity logs in the commercial edition to be a pretty hard requirement for business use.
Passbolt is a phenomenal tool, and what an excellent review!
@ProTechShow
Жыл бұрын
Thanks!
Hmm so as an individual you have to save your pgp key somewhere in case you lose your computer or you are screwed. I like how Passbolt implement things in general but that pgp saving thing might be problematic for the average user. Not only do they need to remember the master password but also keep the pgp key safe.
@ProTechShow
Жыл бұрын
I talk about it near the end of the video - 15:25. The short version is that it's not really aimed at an average user. It's aimed at business scenarios where an IT team can assist people and use the escrow feature to recover their accounts, or technical users who can deploy their own server and use it for free. The licensing model almost enforces this as you either need to build a server or buy a chunk of business licences, so it would be difficult for an average individual to end up with it by themselves.