Yes, if your vault is hacked, your 2fa will become 1fa, but:
- 2fa is still good for stopping someone who steals your password but not your whole vault
- 2fa blocks people from guessing your password (through brute force etc)
The whole concept of yubikeys bothers me. If it is lost, broken, or stolen, access to everything it protected is effectively gone. Same for SMS if you have an eSIM and your phone is lost or destroyed (as happened to me recently, and was a nightmare). TOTP synchronized to multiple devices seems to be the only way to have MFA while protecting oneself from getting locked out. I'm open to being convinced otherwise.
... The posession factor is the encrypted file that stores your secrets. It is in fact the same factor that Aegis uses, because it also uses an encrypted file to store your secrets. I'm not sure what you're expecting Aegis to do that is different from storing TOTP secrets in an encrypted file.
You missed the bit where I mentioned keeping my TOTP secret keys separate from my passwords by storing them in separate vaults, each of which is separately encrypted on-device with a different password. Cloud synchronization is optional.
The goal is to protect your data from brute force not from yourself, it’s perfectly reasonable to have 2fa in your password manager, saying it’s 1fa is just fud
2FA traditionally means relying on one thing you know (i.e. a password) plus one thing you have, or one thing you are (biometrics).
Every single one of my passwords is unique and randomly generated and at least 32 characters, none of them are getting brute forced unless there is a sudden gigantic leap in quantum computing. And if that happens, the world has bigger problems than my passwords.
Having a separate identity factor, something that I own, is not to save me from myself. It's to save me if someone steals my phone or laptop and is able to get into it.
Now we all face different threat models and if your threat model doesn't call for having a totally separate identity factor, great! There's nothing wrong with that. But we don't all face your threat model, and some of us do indeed need a second identity factor that's not stored in the same place as the password.
bobbylarrybobby|1 year ago
- 2fa is still good for stopping someone who steals your password but not your whole vault - 2fa blocks people from guessing your password (through brute force etc)
So there is still quite a bit of benefit.
aryonoco|1 year ago
Nearly all of my 2FA are in Bitwarden, because it's just so damn convenient. But my Bitwarden itself uses YubiKey as 2FA.
Since I adopted this setup last year, it's been the best if both worlds for me.
rcMgD2BwE72F|1 year ago
I want to do the same but haven't switch yet.
- Is the YubiKey USB-C? Is the connector type an issue when plugging it into various computers?
- Where do you keep your YubiKey (plugged into your laptop, on a keychain, somewhere else).
- How do you open your vault on mobile?
- Do you have a backup YubiKey somewhere in case you lost the main one?
MrDrMcCoy|1 year ago
Alpha3031|1 year ago
cosmojg|1 year ago
911e|1 year ago
aryonoco|1 year ago
2FA traditionally means relying on one thing you know (i.e. a password) plus one thing you have, or one thing you are (biometrics).
Every single one of my passwords is unique and randomly generated and at least 32 characters, none of them are getting brute forced unless there is a sudden gigantic leap in quantum computing. And if that happens, the world has bigger problems than my passwords.
Having a separate identity factor, something that I own, is not to save me from myself. It's to save me if someone steals my phone or laptop and is able to get into it.
Now we all face different threat models and if your threat model doesn't call for having a totally separate identity factor, great! There's nothing wrong with that. But we don't all face your threat model, and some of us do indeed need a second identity factor that's not stored in the same place as the password.