Keeping your information safe in a secured app is better than relying on browsers like Chrome to save and remember your data for you. With Bitwarden, you can create lists of your logins, card information, identities, and secure notes for your own reference. It’s also available as an iOS app, an android app, and a browser extension for popular browsers such as Firefox or Chrome. 2FAS also just opened sourced and is very popular on both platforms.You can use Bitwarden by registering an account on. If you're looking for a separate good 2fa app, Raivo OTP on iOS or Aegis on Android is good. If you do keep TOTP with your passwords, just make very sure you use a strong password and have extra vigilance not to get phished on a fake bitwarden site, since now Bitwarden litterly has everything needed to log in to your sites. Do you want the super convenience of everything in one place, or do you want the added security of separation? What you want to do is kinda up to your risk tolerance. Some argue maybe a separate encrypted app is better and some go so far to say that you need a separate device to defend against a single device being compromised revealing everything. If someone steals and cracks your vault they have both now. There is the argument that keeping passwords and TOTP secrets in the same place is sub-optimal. And some folks say anything to make TOTP easier to adopt and use is a win. It makes it super easy to use as it's all in one place, once you Autofill the password you can do the same with the code. Others reason that the password manager is not a primary vector for the compromise of their credentials, and threat mitigation is better done elsewhere.īitwarden works great as a TOTP code app. Many regard their password manager as a direct threat surface, and they feel better taking steps to limit the blast radius from a direct failure. But, really, does this significantly reduce your risk? The bottom line to all this is, HOW MUCH does secret splitting reduce your risk? I mean, aside from making it harder to create good backups and the added inconveniences of generating TOTP tokens, it can't hurt. Or you can keep your TOTP keys in a separate app on a separate device locked in your safe. Or you can write some passwords on a piece of paper and bury them under a rock in the back yard. Or you can keep some passwords in a different password manager. Otoh some reasonably argue you are better served by splitting your secrets across multiple systems of record.įor instance, you can "pepper" your passwords, so that an additional secret must be added to each password to make it correct. It is marvelously convenient, integrating into your browser experience. Wvich brings us back to the pros and cons of BA. (Side note: you need to create backups, which is another reason why Authy is a dead failure.) These apps are open source, critically reviewed, and allow you to export their datastore. The best current recommendations are Aegis Authenticator for Android and Raivo OTP for iOS. If you choose to use TOTP to secure Bitwarden itself, you still need an external app. It also tugs you closer into the sphere of their sphere of data gathering, which has no benefit to you but perhaps some risk. MS Authenticator is also closed source, and you cannot have it active on multiple devices at once. And it's a free service, so if the FSB stops paying off Twilio, Authy could go away at any moment. You cannot export its datastore so you have no way to recover your secrets if Authy ceases operation. It is super duper secret closed source, so you can't be certain they aren't sending secrets to the Russian FSB. However, BA is not suitable for use on Bitwarden itself, because it is effectively INSIDE your vault, so you cannot access it until your vault is already unlocked. TOTP, which is the type of 2FA that Bitwarden Authenticator and Authy provide, is a close second. This is arguably the best 2FA method you will find for most web services today. As a premium subscribed you have the option of FIDO2/WebAuthn (the hardware token, like a Yubikey). You don't mention what kind of 2FA you use there. This especially includes Bitwarden itself. Even SMS (which has known deficiencies) is better than nothing. You absolutely should be using some sort of 2FA for every service that offers it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |