![]() ![]() Many regard their password manager as a direct threat surface, and they feel better taking steps to limit the blast radius from a direct failure. But, really, does this significantly reduce your risk? The bottom line to all this is, HOW MUCH does secret splitting reduce your risk? I mean, aside from making it harder to create good backups and the added inconveniences of generating TOTP tokens, it can't hurt. Or you can keep your TOTP keys in a separate app on a separate device locked in your safe. Or you can write some passwords on a piece of paper and bury them under a rock in the back yard. Or you can keep some passwords in a different password manager. Otoh some reasonably argue you are better served by splitting your secrets across multiple systems of record.įor instance, you can "pepper" your passwords, so that an additional secret must be added to each password to make it correct. It is marvelously convenient, integrating into your browser experience. Wvich brings us back to the pros and cons of BA. (Side note: you need to create backups, which is another reason why Authy is a dead failure.) These apps are open source, critically reviewed, and allow you to export their datastore. The best current recommendations are Aegis Authenticator for Android and Raivo OTP for iOS. If you choose to use TOTP to secure Bitwarden itself, you still need an external app. It also tugs you closer into the sphere of their sphere of data gathering, which has no benefit to you but perhaps some risk. MS Authenticator is also closed source, and you cannot have it active on multiple devices at once. And it's a free service, so if the FSB stops paying off Twilio, Authy could go away at any moment. ![]() You cannot export its datastore so you have no way to recover your secrets if Authy ceases operation. It is super duper secret closed source, so you can't be certain they aren't sending secrets to the Russian FSB. However, BA is not suitable for use on Bitwarden itself, because it is effectively INSIDE your vault, so you cannot access it until your vault is already unlocked. TOTP, which is the type of 2FA that Bitwarden Authenticator and Authy provide, is a close second. This is arguably the best 2FA method you will find for most web services today. As a premium subscribed you have the option of FIDO2/WebAuthn (the hardware token, like a Yubikey). You don't mention what kind of 2FA you use there. This especially includes Bitwarden itself. Even SMS (which has known deficiencies) is better than nothing. You absolutely should be using some sort of 2FA for every service that offers it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |