I self host Bitwarden (Vaultwarden) so I just use the built-in TOTP authenticator in the Bitwarden app. It’s nice to have it all in one place + having auto copy and paste when I log in. And because I self host, it’s all backed up securely and with (as far as I know) no real backdoors.
ETA: just realized what community this is in.
people that replied to me I’m sorry lmao, I’m not a nut about this kinda stuff and I’m by no means recommending this just like using it this way for convenience factor and to keep the likes of google out of my password.
I do the same thing. And Bitwarden’s 2FA is off my phone. In a complicated world, it’s reasonable to keep 1 password + 2FA as secure as possible. I simply can’t handle the hassle of pulling out my phone for every 2FA login, but still value the protection 2FA + randomly generated passwords provide.
No, please do not do this. Two factor authentication should be just that: two separate factors of authenticating yourself. Having them combined in one is the same as one factor.
Said in the reply to the other comment here, but I don’t really self host for security/privacy sake. And in addition to that comment I’d also like to say that I do use a YubiKey when possible for MFA. I’m not a security nut enough to care about TOTP (which kinda sucks anyway) all too much but for important things I do use physical MFA.
U2F on Bitwarden, in principle, doesn’t guard against attackers breaching into your accounts, as the Yubikey serves as a second factor during the authentication stage when the Bitwarden app retrieves the encrypted vault. Unless you combine a static secret from the Yubikey into the master password of the vault, an attacker could, in theory, steal your encrypted vault from the central Bit/Vaultwarden server or any device that’s already downloaded it (note that if this device is your phone, all conventional TOTP is thwarted anyways, so in general phones are the most lucrative target here.) From there, the strength of your master password becomes the only thing separating an attacker from access to all of your online accounts.
I’m not saying that it’s a bad practice and you absolutely shouldn’t do it — I do it myself, as I trust the security of Bitwarden’s servers and my devices in keeping my vault safe. The salient point here is the burden lies on online services upgrading their outdated security options to support U2F, not on us settling with an objectively inferior 2FA option because these services are too lazy and slow.
Fair, although I’ve said in a comment on this account somewhere else, I self host more for convenience sake than anything. I just like having my own password manager, sure it’s not as secure to use it for MFA but it’s better than giving my passwords to Google, LastPass, etc. and then using eg Google Authenticator. Self hosting is more a corporate distrust thing than a privacy thing for me
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !privacyguides@lemmy.one
In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.
This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.
You can subscribe to this community from any Kbin or Lemmy instance:
Check out our website at privacyguides.org before asking your questions here. We’ve tried answering the common questions and recommendations there!
Want to get involved? The website is open-source on GitHub, and your help would be appreciated!
This community is the “official” Privacy Guides community on Lemmy, which can be verified here. Other “Privacy Guides” communities on other Lemmy servers are not moderated by this team or associated with the website.
Moderation Rules:
We prefer posting about open-source software whenever possible.
No soliciting engagement: Don’t ask for upvotes, follows, etc.
Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
Be civil, no violence, hate speech. Assume people here are posting in good faith.
Don’t repost topics which have already been covered here.
News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
No help vampires: This is not a tech support subreddit, don’t abuse our community’s willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
No misinformation: Extraordinary claims must be matched with evidence.
Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.
I self host Bitwarden (Vaultwarden) so I just use the built-in TOTP authenticator in the Bitwarden app. It’s nice to have it all in one place + having auto copy and paste when I log in. And because I self host, it’s all backed up securely and with (as far as I know) no real backdoors.
ETA: just realized what community this is in. people that replied to me I’m sorry lmao, I’m not a nut about this kinda stuff and I’m by no means recommending this just like using it this way for convenience factor and to keep the likes of google out of my password.
I do the same thing. And Bitwarden’s 2FA is off my phone. In a complicated world, it’s reasonable to keep 1 password + 2FA as secure as possible. I simply can’t handle the hassle of pulling out my phone for every 2FA login, but still value the protection 2FA + randomly generated passwords provide.
No, please do not do this. Two factor authentication should be just that: two separate factors of authenticating yourself. Having them combined in one is the same as one factor.
Said in the reply to the other comment here, but I don’t really self host for security/privacy sake. And in addition to that comment I’d also like to say that I do use a YubiKey when possible for MFA. I’m not a security nut enough to care about TOTP (which kinda sucks anyway) all too much but for important things I do use physical MFA.
U2F on Bitwarden, in principle, doesn’t guard against attackers breaching into your accounts, as the Yubikey serves as a second factor during the authentication stage when the Bitwarden app retrieves the encrypted vault. Unless you combine a static secret from the Yubikey into the master password of the vault, an attacker could, in theory, steal your encrypted vault from the central Bit/Vaultwarden server or any device that’s already downloaded it (note that if this device is your phone, all conventional TOTP is thwarted anyways, so in general phones are the most lucrative target here.) From there, the strength of your master password becomes the only thing separating an attacker from access to all of your online accounts.
I’m not saying that it’s a bad practice and you absolutely shouldn’t do it — I do it myself, as I trust the security of Bitwarden’s servers and my devices in keeping my vault safe. The salient point here is the burden lies on online services upgrading their outdated security options to support U2F, not on us settling with an objectively inferior 2FA option because these services are too lazy and slow.
I have a really long password on Bitwarden like 30+. I use OnlyKey to store this password on a hardware device.
You mentioned phones. My problem with using another 2FA app is that it’s still on my phone.
Yeah it compromises the idea of a second factor. Bitwarden is the worst choice. It’s only one thing: comfortable
Fair, although I’ve said in a comment on this account somewhere else, I self host more for convenience sake than anything. I just like having my own password manager, sure it’s not as secure to use it for MFA but it’s better than giving my passwords to Google, LastPass, etc. and then using eg Google Authenticator. Self hosting is more a corporate distrust thing than a privacy thing for me