Am I the only one who just cannot STAND MFA? Having to get a notification text etc. Like what if I don’t want to give an app capability to notify my phone? What if I want something totally NOT connected to my phone?
I just envision a future where there is some near-circular dependency of passwords/phrases/notifications/authenticators/keys/email verifications etc across different devices and services - the end result is that it is absolute PiTA to log into anything or recover any account if anything is ever lost. Sort of an endless personal bureaucracy for authentication. It’s a future I am personally trying to avoid at all costs
Yubikeys etc seem like something I could potentially get behind, but it still doesn’t seem perfect persay… anyway, maybe I am just a geezer
Passwords, credit card numbers, social security numbers, etc are old outdated technology that can't go away fast enough. They're unfixably insecure...identifying yourself to someone by giving your secret identifying information to them immediately allows them to impersonate you! We've had the technology to fix this problem for close to 50 years now: public-key cryptography. We can't get to a password-less world fast enough IMO.
I know a lot of HN doesn't have much use for blockchain, but if there's one thing that blockchain has done for the world it's been to substantially spur the use and development of public-key auth systems, especially on the UX front. This is because it had no choice. If you try to use an inherently broken password auth system for completely decentralized digital currency, it will immediately descend into unusable chaos because of the vulnerability. Traditional finance (credit cards), government identification systems (social security), etc have so much existing infrastructure that innovating in this area is hugely costly and slow, but it's absolutely the direction we need to go.
MFA is not going away, but neither is it going to become what you are describing.
MFA using an SMS is not secure.
If people reliably made good passwords and never reused them, we probably wouldn't need MFA as much.
Unfortunately, we live in a society. Bitwarden will remember your TOTP codes for you across any device you login from. It will even copy the code to you paste buffer during a login.
I enable MFA everywhere i can, even for stupid stuff. Its just not an inconvenience using bitwarden.
Passwordless is going to be great. Though, this is just for unlocking your bitwarden account.
Real cross-device passwordless is likely coming in the next year or so. WebAuthn/Passkey is in its 3rd public working draft[1] and once finalized, we'll likely start to see it across sites. Most devices, browsers and managers have added or are adding support for it: Apple, Microsoft, Google, Auth0, Duo, 1Password, etc. If you haven't seen it, Auth0's demo is helpful[2].
Passkeys are definitely the future, and I think will eventually eliminate a lot of phishing attempts and other insecurity caused by passwords. I'm hoping that we will eventually see transferable, secure identities that you can use to log in anywhere, rather than having to constantly create account credentials for everything.
As a side note, if you want to try out passkeys now and don't want to tie it to your device, I would like to plug my solution, Bulwark Passkey (https://bulwark.id). It's open source, allows you to export your credentials if you want, and supports all browsers since it emulates a virtual USB device.
Sadly, the demo didn’t seem to work on my devices. Tried it on desktop Chrome and my Android phone (Galaxy S22); Chrome says that a "notification was sent" to the phone, but there’s nothing. Seems like it’s supposed to work wirelessly, but I didn’t have any success via a USB cable either. Android Chrome does react to it, and shows that it’s connected, but desktop Chrome’s dialog keeps just spinning until it times out.
For a moment there I had hoped that maybe it would solve the problem in the opposite direction: I'm typing the master password so mechanically when I'm on my laptop, that I really struggle to remember it when I have to type it on a screen - to the point that I must go sit at a computer open a notepad, let muscle memory take over and then look at the screen to see what I typed /facepalm
Anyway, in all seriousness, while this is a scenario that happens very rarely, it still makes me wonder if it would be possible to do the pasdwordless login the other way, i.e. authenticate the phone using a trusted laptop (maybe a fingerprint enabled one)?
i use a regular english sentence as my master password; seems to strike the right balance between not brute-forceable and easy to remember. am i missing some potential drawback to doing that?
I just have the master password saved in my browser. I realise this is probably sub-optimal for a lot of people but for my workflow (i.e. the kinds of passwords I put in BitWarden) it works out OK.
I had this same experience. The fine print says you have to log in without passwordless at least once, and after that it starts working. It's a low-risk pilot of the feature I think, but will be more useful to me when it comes to the extension. It's strange that you have to sign in to the app at least once, seems to negate one of the common use cases.
The only hesitation for me is as other folks mentioned - never typing the master password again might make remembering the pass phrase challenging..
I just looked at the requirements to host your own Bitwarden server. Why does a password manager need 2GB of ram (4GB recommended) and 25GB[1] of storage? That seems quite excessive, how much data and traffic does this thing need to handle for me plus family members?
It is written in Rust and is much lighter on resource requirements.
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
ecce485b8b3a bitwarden 0.06% 46.58MiB / 1.937GiB 2.35% 1.63MB / 28.1MB 17.5MB / 81.9kB 11
It includes a MS SQL server among other things, so for serving single digit users its gonna be heavy. Check out Vaultwarden as an alternative for small scale self-hosting.
Honest question: do you believe that you’ll be able to guarantee the same/better uptime, performance, and security compared to the SaaS version? Hosting your own password manager seems like something you really shouldn’t do, just like hosting your own e-mail. This stuff is critical to your life.
If you are looking for something like a password manager but for passkeys, I would like to plug my own product Bulwark Passkey (https://bulwark.id). It allows you to sync accounts across devices and is entirely open source.
Overall, I think what passkeys need right now is more flexibility. Nobody is going to switch to passkeys if they are locked to their Apple account, for example.
When my subscription renewed last month I did a double take when I saw it was only $10. Had completely forgotten how cheap it was. Hopefully the recently VC cash injection doesn't massively inflate that.
This is a really great user experience. One thing I wonder about is if people start logging in without their password all the time, will they slowly forget what their password is over time?
Partly to force memory reinforcement, I set the password cache time of gpg-agent on my machine to 24 hours maximum. Thus I have to enter my password once a day, which helps me to remember it; but it isn't overly burdensome.
That's is exactly what happened when I configured the LastPass browser extension to remember my password. I needed it to switch USB security keys and had no idea what it was.
The saved password in my other browser's extension saved me.
How long before you need 3 devices to log into something?
Like the other commenter I don't want or need MFA. It's more complicated and a pain to use. Just seems like a convenient opportunity for online companies to gather more data points about you. Keepassxc with a key file is still going strong for me. You've no need for my phone number! And I don't want my device linked to any account.
Hopefully you can turn this off. I've seen cases where attackers enter an email address and just keep spamming the login form until the owner accepts the notification. Obviously 2fa would help here but not everyone uses that.
Bitwarden can't import my ssh keys from lastpass export <facepalm>
it say: [1198] [SecureNote] "username id rsa ssh": The field Notes exceeds the maximum encrypted value length of 10000 characters. But this id_rsa has only 1415 symbols
1password has imported csv as well without any issue or alert.
But to secure my hardware security key I need a PIN, too otherwise anyone can just borrow it. Also I still need a backup in case I actually lose it somewhere. And when I get recommended to reinstall my browser to fix a problem and I accidentally deleted my profile I might lose access to accounts.
PassKey is great but also may cause vendor lock-in looking at Google and Apple in particular.
Does anyone have any insights to how enterprises will be managing passkeys for corporate accounts with the potential of creds being leaked to potential compromised devices.
[+] [-] denhaus|3 years ago|reply
I just envision a future where there is some near-circular dependency of passwords/phrases/notifications/authenticators/keys/email verifications etc across different devices and services - the end result is that it is absolute PiTA to log into anything or recover any account if anything is ever lost. Sort of an endless personal bureaucracy for authentication. It’s a future I am personally trying to avoid at all costs
Yubikeys etc seem like something I could potentially get behind, but it still doesn’t seem perfect persay… anyway, maybe I am just a geezer
[+] [-] mightybyte|3 years ago|reply
I know a lot of HN doesn't have much use for blockchain, but if there's one thing that blockchain has done for the world it's been to substantially spur the use and development of public-key auth systems, especially on the UX front. This is because it had no choice. If you try to use an inherently broken password auth system for completely decentralized digital currency, it will immediately descend into unusable chaos because of the vulnerability. Traditional finance (credit cards), government identification systems (social security), etc have so much existing infrastructure that innovating in this area is hugely costly and slow, but it's absolutely the direction we need to go.
[+] [-] Tidal5474|3 years ago|reply
MFA using an SMS is not secure.
If people reliably made good passwords and never reused them, we probably wouldn't need MFA as much.
Unfortunately, we live in a society. Bitwarden will remember your TOTP codes for you across any device you login from. It will even copy the code to you paste buffer during a login.
I enable MFA everywhere i can, even for stupid stuff. Its just not an inconvenience using bitwarden.
[+] [-] badrabbit|3 years ago|reply
[+] [-] flippinburgers|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] syncerr|3 years ago|reply
Real cross-device passwordless is likely coming in the next year or so. WebAuthn/Passkey is in its 3rd public working draft[1] and once finalized, we'll likely start to see it across sites. Most devices, browsers and managers have added or are adding support for it: Apple, Microsoft, Google, Auth0, Duo, 1Password, etc. If you haven't seen it, Auth0's demo is helpful[2].
[1] https://www.w3.org/TR/webauthn-3/#sctn-api
[2] https://webauthn.me/
[+] [-] cmdli|3 years ago|reply
As a side note, if you want to try out passkeys now and don't want to tie it to your device, I would like to plug my solution, Bulwark Passkey (https://bulwark.id). It's open source, allows you to export your credentials if you want, and supports all browsers since it emulates a virtual USB device.
[+] [-] Narushia|3 years ago|reply
[+] [-] sakisv|3 years ago|reply
For a moment there I had hoped that maybe it would solve the problem in the opposite direction: I'm typing the master password so mechanically when I'm on my laptop, that I really struggle to remember it when I have to type it on a screen - to the point that I must go sit at a computer open a notepad, let muscle memory take over and then look at the screen to see what I typed /facepalm
Anyway, in all seriousness, while this is a scenario that happens very rarely, it still makes me wonder if it would be possible to do the pasdwordless login the other way, i.e. authenticate the phone using a trusted laptop (maybe a fingerprint enabled one)?
[+] [-] Fervicus|3 years ago|reply
[+] [-] zem|3 years ago|reply
[+] [-] trog|3 years ago|reply
[+] [-] ghostly_s|3 years ago|reply
[+] [-] ianmcgowan|3 years ago|reply
The only hesitation for me is as other folks mentioned - never typing the master password again might make remembering the pass phrase challenging..
[+] [-] paulryanrogers|3 years ago|reply
[+] [-] sschueller|3 years ago|reply
[1] https://bitwarden.com/help/install-on-premise-linux/
[+] [-] alyandon|3 years ago|reply
It is written in Rust and is much lighter on resource requirements.
[+] [-] suumcuique|3 years ago|reply
[+] [-] heresjohnny|3 years ago|reply
[+] [-] jve|3 years ago|reply
Well, yes, after adding photo gallery, I now want a faster device.
[+] [-] Someone1234|3 years ago|reply
[+] [-] OJFord|3 years ago|reply
'Passwordless' badly needs 'password manager' support, or other cross-platform implementation, IMO.
[+] [-] cmdli|3 years ago|reply
Overall, I think what passkeys need right now is more flexibility. Nobody is going to switch to passkeys if they are locked to their Apple account, for example.
[+] [-] imwillofficial|3 years ago|reply
[+] [-] deadbunny|3 years ago|reply
[+] [-] presto8|3 years ago|reply
Partly to force memory reinforcement, I set the password cache time of gpg-agent on my machine to 24 hours maximum. Thus I have to enter my password once a day, which helps me to remember it; but it isn't overly burdensome.
Although maybe if one always has
[+] [-] joombaga|3 years ago|reply
[+] [-] account-5|3 years ago|reply
Like the other commenter I don't want or need MFA. It's more complicated and a pain to use. Just seems like a convenient opportunity for online companies to gather more data points about you. Keepassxc with a key file is still going strong for me. You've no need for my phone number! And I don't want my device linked to any account.
[+] [-] blitzar|3 years ago|reply
[+] [-] rwky|3 years ago|reply
[+] [-] U1F984|3 years ago|reply
[+] [-] haspok|3 years ago|reply
[+] [-] aborsy|3 years ago|reply
[+] [-] piskerpan|3 years ago|reply
If you think your computer security is weak, it will continue to be the weak link even with with a hardware key.
[+] [-] dengolius|3 years ago|reply
it say: [1198] [SecureNote] "username id rsa ssh": The field Notes exceeds the maximum encrypted value length of 10000 characters. But this id_rsa has only 1415 symbols
1password has imported csv as well without any issue or alert.
So login from device is not a big deal.
[+] [-] SuperSandro2000|3 years ago|reply
[+] [-] longcat|3 years ago|reply
Does anyone have any insights to how enterprises will be managing passkeys for corporate accounts with the potential of creds being leaked to potential compromised devices.
[+] [-] stavros|3 years ago|reply
[+] [-] oddeyed|3 years ago|reply
[+] [-] yasp|3 years ago|reply
[+] [-] palata|3 years ago|reply
[+] [-] haspok|3 years ago|reply
[+] [-] Always42|3 years ago|reply
[+] [-] teruakohatu|3 years ago|reply
Edit: thanks, sounds like 2fa is now free.
[+] [-] y0ssr3n|3 years ago|reply
Upgrading to the Premium Account ($10/yr) gets you additional options: "YubiKey, FIDO2, Duo, Email, Authentication app"
Source: https://bitwarden.com/pricing/
[+] [-] castrodd|3 years ago|reply
[+] [-] llampx|3 years ago|reply