Bitwarden also allows the option to auto copy the OTP code so you just have to paste it into the OTP field. Again, security trade offs. But let’s be honest, getting my family to voluntarily use MFA is pretty much impossible. It took years to get them to use a password manager. When I showed them all they had to do was paste the OTP code they thought that was cool. This is far better than them not using MFA at all.

@ProTechShow

7 ай бұрын

The fact you've managed to get your family to use a password manager at all is impressive. I'm still fighting that battle.

@notreallyme425

7 ай бұрын

@@ProTechShow It was until my daughter got her Instagram account hacked. No better way to get a young lady’s attention about passwords! 🤣. Still, after getting her and everybody else on Bitwarden I had to turn on all the “easy” settings that many would say lessens the security. But it’s still WAY better than reusing easy to guess passwords on all their accounts. Now that they’ve been using it for a couple years, they’ll all tell you it’s easier because FaceId enters passwords for them and being able to copy/paste OTP codes makes it simple.

Your point is very good and first time hearing of this logic. I tend to agree and having the 2FA in bitwarden makes it that much easier to use TOTP. If that is the line to have someone start using TOTP or not, it's well worth storing it in bitwarden.

I agree. There are three main scenarios most average people are in; 1. using no pw manager and crappy short, reused and leaked passwords with MFA on their phone. 2. Using a pw manager with long, random, unique passwords per site and MFA on their phone. 3. Same as 2 but the MFA is also in their pw manager. The security gulf between 1 and 2 is vast compared to 2 and 3. Most passwords are leaked by sites losing their database (and the password either being short and easily brute forced, or stored by the site in plain text). All 3 of the scenarios save you from that situation, but scenario 3 in my opinion has the best convenience/security ratio.

I appreciate you explaining the passport metaphor and also walking through the "eggs in one basket" scenarios toward the end. Both elements had me hesitant to put tokens into Bitwarden, but you make great points that unless your cousin from abroad is holding your MFA, there's going to be eggs in one basket in almost any scenario. And then it's gonna be fun getting your cousin to give up a code when they're busy or asleep... 😅 I'm already using Bitwarden to store tokens for shared accounts as well as accounts I don't super care about, but I'll have to consider whether I want to migrate everything to it, especially since I'm not totally happy with my current MFA app.

Oh very nice. It is a fresh take on this matter. Well done. Thanks!

@ProTechShow

7 ай бұрын

Thank you!

After the LastPass fiasco, I refuse to put all my eggs in one password manager basket.

@PAWKID4LYFE

3 ай бұрын

Exactly. I use Horcrux, double blind passwords for this reason.

@Ck87JF

Ай бұрын

LastPass' problem was that they weren't encrypting every bit of user created data, so databases had stuff stored in clear text. Also, I'm not sure where LP falls on this scale, but Bitwarden uses end to end encryption meaning that they cannot see any data you've created, including metadata. That said, it's certainly a reasonable idea to have two separate apps to manage the two keys to your sites.

@dansanger5340

Ай бұрын

@@Ck87JF Not encrypting everything in the vault was one LastPass failure. The other more serious failure was that they left some early customers with inadequate encryption strength, making their vaults vulnerable to brute force attack.

haha very good rationale. Never thought in this way

@ProTechShow

7 ай бұрын

Thanks. The airport analogy helps me visualise it. Hopefully it makes sense to others as well!

I've thought a lot about this feature but it's really very convenient. I use Google authentication and bitwarden in parallel, so the risk is of course

@ProTechShow

7 ай бұрын

Yes, there's an extra layer to it when you think of that... passport for a passport...

@mr.boniato6402

6 ай бұрын

You will cry if when you have to switch phones using Google Authentication. I lost all my codes because Google Auth doesn't restore the codes when restoring. Unless they've added the feature since. This is why I stopped using Google's. Once you get a new phone and you do a restore, it will ONLY restore the app, but not the codes...be very careful.

@dav1dw

4 ай бұрын

Google Authenticator now allows you to store you secrets in the cloud, but you have to enable it. But, I just switched to 2FA and it's so much better. The great feature is on your phone, you have the option to lock it with biometric or pin. So that's another layer of security. @@mr.boniato6402

@mattpetty6453

4 ай бұрын

@@mr.boniato6402 Google Auth now syncs your codes to your google account.

@dzltron

4 ай бұрын

@@mr.boniato6402 Aegis is awesome and open source. Available on the F-Droid store also.

Hello from Belfast!

@ProTechShow

17 күн бұрын

Hello from not Belfast, although I was there a few weeks ago!

use BW on PC, and use aegis on androdi phone. this is more safe, by feeling.

I'll be honest - I never liked the concept of factors. If you take a TOTP secret and memorize it - is it still a possession factor? Why is it that because you record it in a computer it suddenly becomes a possession factor? If you recorded the same secret in a notebook you carry with you, is it still a possession factor or simply an extension of your mind?

@ProTechShow

7 ай бұрын

Yeah, they rely on you using them as intended. If you write down the TOTP secret or print a certificate's private key on a t-shirt you've defeated the point of it. At the end of the day they all end up as ones and zeros somewhere along the way so you could always misuse it, although you'd only be harming your own security.

@dav1dw

4 ай бұрын

I think the reason for TOTP is so you add typing in numbers (hash of secrets) that change every 30 seconds so if someone intercepts it, the secrets are still safe.

@Ck87JF

Ай бұрын

I think if you printed the QR code / TOTP secret text and put it into a safe or lockbox, then that would be irrelevant in terms of factors - the copy on your phone would be a possession factor. But even if you somehow memorize the secret, you'll still have to type it into an app that is capable of giving you the code, right? So that would still be possession. No one would expect someone else to have memorized the secret, so even if you're tied up & being threatened with a wrench (xkcd readers know), you're more likely to have someone demand that you unlock your phone to get the details rather than demand the info.

@Ck87JF

Ай бұрын

​@@dav1dwthat is indeed the reason, but the OP is suggesting that an attacker who is able to convince them to give up their password AND the secret behind their TOTP token will be able to get into the account.

@Jamesaepp

Ай бұрын

@@Ck87JF The extra analogy you give (if I'm interpreting it right) of having multiple copies of the same secret only reinforces my disdain for all the "factor" language. Because as you rightly point out - a TOTP secret in your head can be a knowledge factor but the same TOTP secret in your phone is a possession factor. Security is about the weakest link, and I'd argue (for xkcd reasons) the knowledge factor is the weakest of all. Regarding the algorithm part of the equation, sure you must combine the secret with the functions to output the OTP. But that's not much different from locally combining a passphrase with some salt, hashing it, and then completing the "proof of knowledge" without handing over the knowledge factor itself. Or any other similar challenge-response protocol for that matter. Back to my thesis point - the "factors" suck because in the universe in which we live, *everything* can be considered information.

Always a balancing act 😂

@ProTechShow

7 ай бұрын

Always!