I'm going to keep using TOTP in bitwarden and keep sleeping well at night. In this case, your ‘bitwarden account’ is the thing you have.
If someone is targeting me in particular, my bitwarden (even with TOTP keys included) is one of the stronger links in the chain. The password is the thing you know, and most often your device is the thing you have. Granted, MFA will only help as long as bitwarden doesn't get lastpassed. I also have MFA on bitwarden itself that's entierly rooted in hardware: hardware TOTP token, a stack of yubikeys, and (now) a passkey on my phone. and part of my threat model is "not interesting enough to be targeted" - I'm not interesting enough (in the public eye, in a position of power, etc) that anyone's going to try to brute force my bitwarden passphrase. I have a strong enough master password that hasn't really ever been used anywhere else. webauthn), we're all just dancing around "security by obscurity." TOTP is just a way to prove that you have a shared secret without transmitting that shared secret over the internet. If the user above do not have a yubikey but instead use a software TOTP app then it is almost as easy to use the TOTP app for all TOTP codes instead of the built-in in bitwarden. If the worst happens and someone breaks my vault, they have my username, password and 2FA tokens so they can log in with no challenge. But the key here is that Bitwarden itself is secured with 2FA. Is it perfect? No, but ultimately until we see a substantial change in the way authentication on the internet is done (i.e. It seems to me that having the 2FA tokens saved in Bitwarden right next to the password and username kind of defeats the purpose of having 2FA in the first place. I still think that while having 2FA separate from bitwarden is in theory slightly better, in practice, the nuisance of digging my phone out and finding a MFA app and entering the code is enough to make me not just automatically turn on MFA for every site that supports it.
0 kommentar(er)
