I'm going to keep using TOTP in bitwarden and keep sleeping well at night. It would be great if I could use biometrics+YubiKey to unlock BW on my Android. However, this still does not implement 2FA when simply locking/unlocking the device, unless I am mistaken. If someone is targeting me in particular, my bitwarden (even with TOTP keys included) is one of the stronger links in the chain. The 2FA when 'Unlocking feature request implementation is great for when you are logging out of a device. Granted, MFA will only help as long as bitwarden doesn't get lastpassed. I also have MFA on bitwarden itself that's entierly rooted in hardware: hardware TOTP token, a stack of yubikeys, and (now) a passkey on my phone. and part of my threat model is "not interesting enough to be targeted" - I'm not interesting enough (in the public eye, in a position of power, etc) that anyone's going to try to brute force my bitwarden passphrase. I have a strong enough master password that hasn't really ever been used anywhere else. webauthn), we're all just dancing around "security by obscurity." TOTP is just a way to prove that you have a shared secret without transmitting that shared secret over the internet. Is it perfect? No, but ultimately until we see a substantial change in the way authentication on the internet is done (i.e. I still think that while having 2FA separate from bitwarden is in theory slightly better, in practice, the nuisance of digging my phone out and finding a MFA app and entering the code is enough to make me not just automatically turn on MFA for every site that supports it.
0 Comments
Leave a Reply. |