11/25/2023 0 Comments Bitwarden authenticatorA unique encryption key safeguards and stores user information in the user’s private vault. Syncing, sharing and backup in cloud are all possible with this software. It uses two-factor authentication, AES encryption and zero knowledge architecture so as to store and manage website passwords, financial details and other secretive and sensitive documents. It is compatible with all the popular platforms and browsers, and offers the best security of any cloud-based password manager. With the threat model redefined to force the use of unique passwords, it makes it far more acceptable to store TOTP secrets in password managers.Keeper is a password management software which provides a strong guard on the safety and security of all your passwords in one single vault. I can’t imagine any regular user putting up with that, and the result is the help desk has to deal with many requests to remove devices when someone gets a new phone. I’m pretty security conscious and can put up with a lot of shenanigans to be more secure, but the insistence of TOTP apps to not allow backup or transfer of secret keys is just too much for me. This approach also reconciles the idea that a TOTP secret must be tied to a device, instead of a person. The brute force window is essentially closed at that point. Using this approach, you now have a probably weak password of a certain length, and then a guaranteed random password of 6 digits that expires every 30 seconds. That’s effectively how most sites are using it anyway. The biggest problem by far is that people still use the same password everywhere, and no amount of yelling at them for the past 20 years seems to be working, so the only solution is to declare passwords as mostly broken and force people to use TOTP. I think it’s useful to stop thinking about TOTPs as a multi-factor implementation, and think about it as a forced random password. But still, their security posture has improved a lot! ![]() Yes, they are still vulnerable to a scenario where their Password Manager account gets popped and the TOTP secrets are revealed. Now, looking back at the attack scenario I described above, their leaked password is not enough to log into other online accounts. > However, if they do add a 2nd factor of authentication, even if that’s a TOTP managed by the same Password Manager, they do end up in a much better place. Well, the only thing they’ve gained is a false sense of security. And now they use the Password Manager’s web browser extension to paste the same password into each login form. > Among the people I’ve “interrogated” about sufficiently securing their online accounts were few who proudly said they’ve adopted a Password Manager and… they’ve copied their favorite password that they’ve been reusing all over the place into the Password Manager. > TOTP in Bitwarden (or 1Password or KeePass) is an upgrade over SMS authentication in terms of both security and convenience. It can store up to 32 codes, which for 99% of people is more than enough for all of their critical accounts. Which dedicated device would I recommend for storing your TOTP codes? The same one I recommend for U2F, the Yubikey 5 series (specifically the Yubikey 5C NFC). ![]() But let me propose an alternative: do that just for your most critical accounts, but use your password manager's TOTP solution for everything else. Yes, you would be more secure if you used it consistently AND had 2+ dedicated devices for your TOTP codes (your main device and at least one backup). ![]() If you secure your devices with long alphanumeric passwords, secure your password manager with U2F / WebAuthn and an even longer alphanumeric pass phrase, and consistently enable TOTP 2FA, then you'll be more secure than the person who either uses it less consistently or who uses it on device Such a user may be less likely to use 2FA in a given app because it's less convenient. If the TOTP app has backups, then it's vulnerable.ĥ. They're likely logging into accounts on their phones and have the password manager and TOTP app on their phones as well.Ĥ. Their device may not be well secured, e.g., either not requiring auth to unlock it or only having a 4 digit PIN.ģ. Without a backup, they're suddenly unable to login to their accounts.Ģ. TOTP in Bitwarden (or 1Password or KeePass) is an upgrade over SMS authentication in terms of both security and convenience.įor most people, TOTP in a dedicated app is not actually much more secure:ġ. I keep seeing this take and it's not a great one.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |