| ▲ | 8cvor6j844qw_d6 2 hours ago | |
> Strong support for the strategy of not putting your TOTP/MFA in your password manager Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place. Password managers assumes a non-compromised device. I don't think there exist a password manager that is explicitly designed for a compromised/hostile device. A password manager + built-in TOTP on a dedicated device is fine for most general usage. Important TOTPs can go to Yubikeys. | ||
| ▲ | 14u2c 6 minutes ago | parent | next [-] | |
>Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place. That seems somewhat unrealistic? There are many passwords you need to use as part of dev work. | ||
| ▲ | deepsun 16 minutes ago | parent | prev [-] | |
But it's a hassle to have at least 2 yubikeys in case you lose one. And since you regularly sign up for new websites with OTPs, gotta keep them in sync. So always carry both with you. And if you carry both, then it's easy to lose both at the same time. UPDATE: also gotta keep track separatelt of non-resident passkeys tied to Yubikey, because Yubikey doesn't know where it was used for non-resident. If you lose one yubikey, need to sync all passkeys to a new replacement one. | ||