Npm two factor authentication

Well, slightly, I agree with you. Which is why really critical stuff is kept in Keepass and not BW. But honestly, if my BW account were compromised, it would be a disaster anyway because, as an IT pro, I've hundreds of accounts in the store. That's why i DO have 2FA turned on for BW though on my main devices, it is behind the devices local login such as fingerprint/face on iOS/Windows. So that even if my device is lost or stolen, the BW account would not be immediately compromised.

Again it is a balance of risk vs accessibility.

Absolutely, even for someone like myself who is a LOT more aware of the risks than most people because I have to see what happens when accounts are compromised all the time.

So for me, splitting between two different apps is a good compromise. I don't need to log into my financial accounts every day and I keep those in Keepass. They typically have more complex logins anyway. And the ones I use most often have mobile apps that will suffice for simple things.

Most other things go into BW which itself is strongly protected anyway. But the convenience and speed of BW across multiple devices can't be beat.

:+1:

I've repeatedly looked at these. However, the main problem I have is if you loose or break the key. That could be disastrous. This is the same problem as traditional Authenticator apps, if you loose your phone and don't have a backup of your TOTP keys or if you forget your phone - you are stuffed - I know, I've done that several times in the past and it is a right pain.

That's why Yubico strongly recommends to get at least two of their devices:

Itā€™s best practice to keep at least one spare YubiKey in case your primary is lost or stolen. Having a spare key gives us the assurance that we will not be without access to critical accounts when we need them most. No need to fear being locked out of any accounts, and no need to go through a lengthy recovery and identity verification process to recover them.

Source: yubico.com

While one could recover in a lengthy and most probably painful process, I'd like to definitely avoid this scenario. Fortunately, my use case involves two keys anyway. For my laptop at home and on the road.

But yes. This is indeed something that can get tricky. Especially if you travel a lot and do not have continuous access to your home device. Hm. You made me thinking.

But that just multiplies the problem and may leave you with an unexpected vulnerability since your home may not be the most secure of locations. And away from home you now have the same problem. If you attach the key to your normal keyring, maybe get it out on a table where you are working and then pack up in a hurry an leave them behind. Or they get dropped down a drain or run over by a car, ... If you are away for any period you are now without the ability to log in. Worse, they get stolen and now you can't even reset your passwords because your spare key is at home which might be days away.

Physical keys aren't so bad when you have an enterprise support team who can sort out those issues at any time. If you are on your own, you don't have that.

Exactly this. I would need another layer of "emergency support" which I can hardly arrange for pure private fun. Who else understands the complexity of what I am doing here :smiley:

It helps that IT Security is part of my dayjob :grinning:

1 Like

The Internet was never designed for security, its priority was reliable communication between endpoints. Security and authorization was to be handled by and at the endpoints with the messages generally assumed to be encrypted/decrypted by the endpoints. Making a publicly accessible endpoint pretty much queers the whole deal.

As I said, I don't do anything "important" via a web login unless absolutely forced to do so, which unfortunately is becoming more common every year. For these I use very strong passwords and these sites are only ever accessed by a single computer. For user forums, shopping, etc. I use easy for me to remember passwords as these might be accessed from anywhere and I have near zero loss potential here.

On-line websites are a security nightmare, I've not had a credit card need to be replaced because it expired since web buying became common -- the numbers "leak" out and I get a new card when fraudulent charges have been reversed.

Neither my wife nor I have a debit card or do on-line banking for the extra hassle of getting your money back in the event of fraud.

Not had that happen on our cards for years now. Quite a few years ago there was a spate of issues with Barclaycard but their systems are amazing and we've had no issues now for years! (I actually got to visit with them a couple of years back to their Security Ops Centre - pretty unbelievable what they do there). I do always keep 2 credit cards though, one of which we use on the web and one we don't. Even back then, the first we knew of a problem was them ringing us within an hour of the transaction. Never any hassle (no Barclaycard, I wasn't in Vegas last night!)

I pretty much only use my debit card for getting cash these days, everything is done using the credit card and cash use is minimal these days.

The only time I ever had a problem with a debit card was when someone stole it and I didn't realise until the following evening by which time someone went to a branch, took out the full contents of my account, was offered an overdraft there-and-then and went to another branch to take that out as well!

In that sense, web transactions - at least with reputable companies - are generally much safer than in-branch transactions!

Of course, one of the better aspects of living in the UK is the banking and finance protection. My money was quickly replaced.

Anyway, we've certainly drifted a long way off-topic. Suffice it to say that, despite being pretty close to a lot of the risks and issues, I happily use online banking and both debit and credit cards (helps that I've also done work for some of these organisations). But I am cautious about having the credentials offline. The major UK banks systems are second to none in the world.

There's no need to pay for BitWarden when you can set up VaultWarden for free on your own server.

For use away from home that would require setting up an internet accessible server, with all the security implications of that.

True, but it isn't as complicated as one may think. Besides - being able to access your home server remotely is for many the main purpose of having an in-house server, at all.
Setting up access via a reverse proxy using Let's Encrypt free certificates is the way to go.

I know how to do it, but for most here it would be a minefield. It is too easy to get it wrong and leave oneself open to hacking.

1 Like

That's just like saying one shouldn't drive a car cause it's too easy to get killed!
Most people know that, and still they drive. After all, trial'n'error with a reverse proxy isn't going to kill you. And there are plenty of good How-To guides on the net.

No, it's like saying one shouldn't drive a car until one has the appropriate training.

4 Likes

The cost of a family subscription is really nothing - was it $30pa? Can't remember but I'm more than happy to spend that for the peace of mind for the whole family and ease of access. I run on the desktop and browser and on both Android and iOS. The rest of the family run it in the browser and either on iOS or Android.

Anyway, if you have the time, skills, and a spare server, by all means to it yourself. Time, however, is the most valuable thing for me :slight_smile:

2 Likes

It isn't possible to learn anything without spending time. So sometimes, time can be well spent. :wink:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.