|
| ▲ | cdmckay 29 minutes ago | parent | next [-] |
| You can make it so you need a YubiKey to login to 1Password the first time on a new device So just waiting for the password won’t be enough |
| |
| ▲ | auxinl 19 minutes ago | parent [-] | | The hackers will literally have access to _your_ device though. If your device is already trusted, I doubt that setting will do you any good. |
|
|
| ▲ | 8cvor6j844qw_d6 2 hours ago | parent | prev | next [-] |
| > Strong support for the strategy of not putting your TOTP/MFA in your password manager Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place. Password managers assumes a non-compromised device. I don't think there exist a password manager that is explicitly designed for a compromised/hostile device. A password manager + built-in TOTP on a dedicated device is fine for most general usage. Important TOTPs can go to Yubikeys. |
| |
| ▲ | deepsun 34 minutes ago | parent | next [-] | | But it's a hassle to have at least 2 yubikeys in case you lose one. And since you regularly sign up for new websites with OTPs, gotta keep them in sync. So always carry both with you. And if you carry both, then it's easy to lose both at the same time. UPDATE: also gotta keep track separatelt of non-resident passkeys tied to Yubikey, because Yubikey doesn't know where it was used for non-resident. If you lose one yubikey, need to sync all passkeys to a new replacement one. | |
| ▲ | 14u2c 24 minutes ago | parent | prev [-] | | >Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place. That seems somewhat unrealistic? There are many passwords you need to use as part of dev work. |
|
|
| ▲ | Terr_ 3 hours ago | parent | prev | next [-] |
| > putting your TOTP/MFA in your password manager I suppose the inverse would be starting with a device that offers TOTP/MFA, and then making your password-manager/vault somehow available on that same device. In either case, bringing them together makes it easier for an attacker to compromise both at the same time. On reflection, I've never actually put my (personal) password vault on my phone, but that may be less of a conscious security stance than fulfilling a millennial stereotype, where certain tasks (like big purchases) are reserved for "a real computer." Closest I've gotten is having my USB backup keychain in the same pocket, so I could get to it in an emergency, but it's inconveniently air-gapped. |
| |
| ▲ | rectang 3 hours ago | parent [-] | | As much as I like the Apple Passwords app, one of its downsides is that if I have my TOTP app on my iPhone, both passwords and TOTP live on the same device. So for many services I use Bitwarden for passwords. |
|
|
| ▲ | rolph 2 hours ago | parent | prev | next [-] |
| i would also offer, do not use the same device for everything, make sure any local connectivity has firewalled [dot]finances, and [dot]tech lab from each other and else. you should probably split your network to further isolate. use intentional spelling mistakes in your password vault, edit the password by hand. you also need to have some way of authenticating login components to be sure your running your version of login, and not a trojan login. |
|
| ▲ | toomuchtodo 3 hours ago | parent | prev | next [-] |
| Or using a hardware authenticator. |
|
| ▲ | uncivilized an hour ago | parent | prev [-] |
| Story states he wasn't using 2FA for his 1password account at all. |
| |
