| ▲ | bccdee 9 days ago |
| FYI, you can put a 2FA secret into Bitwarden and autofill the one-time passwords alongside the regular password. That would mitigate the impact of losing your phone. |
|
| ▲ | lhamil64 9 days ago | parent | next [-] |
| I personally don't do this because I feel like it defeats the whole purpose of 2fa. If someone gets into your bitwarden account, now they have your passwords and can generate 2fa codes. Of course, if the alternative is just not doing 2fa then it's better than nothing but I'd still prefer an authenticator app or hardware key than putting them in bitwarden. |
| |
| ▲ | bccdee 9 days ago | parent | next [-] | | That's why my bitwarden account is protected with 2FA! If an adversary has gotten into my bitwarden secrets, my second factor is already compromised. And if I lose my phone, I only need to do the recovery flow with the printed codes for one account, rather than for all of my accounts. | |
| ▲ | mvieira38 9 days ago | parent | prev [-] | | Getting into your bitwarden account should be at least as hard as getting into your authenticator app or stealing your hardware key, though, if you're using it as intended, so I think it's ok for 2FA | | |
| ▲ | ihattendorf 9 days ago | parent [-] | | 2FA keys are easily stolen from a desktop with a password manager running in the background when running a malicious executable, vs. 2FA keys on a 2FA app on a phone and running a malicious app. | | |
| ▲ | bccdee 7 days ago | parent [-] | | I don't know if this is true. A password manager should encrypt its data at rest, and exfiltrating a key from another process's memory space is non-trivial. At the very least, you'd need a privilege escalation trick. |
|
|
|
|
| ▲ | britzkopf 9 days ago | parent | prev | next [-] |
| Great, this is a universal solution. Let's all make it an integral part of our digital security, and in 5 years or so hope that bitwarden doesn't leverage it! |
| |
| ▲ | ssk42 9 days ago | parent [-] | | the good news is that you can self-host bitwarden pretty easily and so it doesn't have to be a hassle/risk | | |
| ▲ | dare944 9 days ago | parent [-] | | Grandma is self-hosting what??? | | |
| ▲ | nightski 9 days ago | parent | next [-] | | I am going to be honest, Grandma is already compromised. | |
| ▲ | jamespo 9 days ago | parent | prev [-] | | that's where you come in sonny | | |
| ▲ | dsr_ 9 days ago | parent [-] | | This. Grandma, and Uncle Rob, and your cousins, and anyone else you have a long standing relationship with, can use your VaultWarden instance if you let them. But! You now get to maintain uptime (Rob travels and is frequently awake at 3am your time) and make sure that the backups are working... and remember that their access to their bank accounts is now in your hands, so be responsible. Have a second site and teach your niece how to sysadmin. |
|
|
|
|
|
| ▲ | jvanderbot 9 days ago | parent | prev [-] |
| FYI you can go `oathtool --totp -b "that secret code"` and never need a third party vendor again |
