Bitwarden also allows the option to auto copy the OTP code so you just have to paste it into the OTP field. Again, security trade offs. But let’s be honest, getting my family to voluntarily use MFA is pretty much impossible. It took years to get them to use a password manager. When I showed them all they had to do was paste the OTP code they thought that was cool. This is far better than them not using MFA at all.
@@ProTechShow It was until my daughter got her Instagram account hacked. No better way to get a young lady’s attention about passwords! 🤣. Still, after getting her and everybody else on Bitwarden I had to turn on all the “easy” settings that many would say lessens the security. But it’s still WAY better than reusing easy to guess passwords on all their accounts. Now that they’ve been using it for a couple years, they’ll all tell you it’s easier because FaceId enters passwords for them and being able to copy/paste OTP codes makes it simple.
I appreciate you explaining the passport metaphor and also walking through the "eggs in one basket" scenarios toward the end. Both elements had me hesitant to put tokens into Bitwarden, but you make great points that unless your cousin from abroad is holding your MFA, there's going to be eggs in one basket in almost any scenario. And then it's gonna be fun getting your cousin to give up a code when they're busy or asleep... 😅 I'm already using Bitwarden to store tokens for shared accounts as well as accounts I don't super care about, but I'll have to consider whether I want to migrate everything to it, especially since I'm not totally happy with my current MFA app.
Your point is very good and first time hearing of this logic. I tend to agree and having the 2FA in bitwarden makes it that much easier to use TOTP. If that is the line to have someone start using TOTP or not, it's well worth storing it in bitwarden.
Off course Bitwarden can also have additional security more than just a password, so even if somebody knew your BW password they would also need to be using your device otherwise they would get hit with a 2FA on first attempt to login.
I agree. There are three main scenarios most average people are in; 1. using no pw manager and crappy short, reused and leaked passwords with MFA on their phone. 2. Using a pw manager with long, random, unique passwords per site and MFA on their phone. 3. Same as 2 but the MFA is also in their pw manager. The security gulf between 1 and 2 is vast compared to 2 and 3. Most passwords are leaked by sites losing their database (and the password either being short and easily brute forced, or stored by the site in plain text). All 3 of the scenarios save you from that situation, but scenario 3 in my opinion has the best convenience/security ratio.
LastPass' problem was that they weren't encrypting every bit of user created data, so databases had stuff stored in clear text. Also, I'm not sure where LP falls on this scale, but Bitwarden uses end to end encryption meaning that they cannot see any data you've created, including metadata. That said, it's certainly a reasonable idea to have two separate apps to manage the two keys to your sites.
@@Ck87JF Not encrypting everything in the vault was one LastPass failure. The other more serious failure was that they left some early customers with inadequate encryption strength, making their vaults vulnerable to brute force attack.
Hey mate, am I able to clarify something with you on the whole Bitwarden/passkeys feature? When first using the passkey option on a site (say Microsoft for example), the Bitwarden pop up will appear saying, “Save passkey as new login”. Now as far as I am aware, this is different from using a YubiKey for the passkey where it is stored on the YubiKey only. When using the Bitwarden option to have the passkey stored in your vault, where is the private key being generated and where else is it being stored? Or is it only being stored in the bitwarden vault? I was thinking that there may potentially be a risk with this if the private key is stored on your machine locally as well as your vault should your PC get hacked etc. This might not be as big of an issue as I think though so interested to hear your thoughts. Also, on this topic, what are your recommended settings for Bitwarden and security/2fa etc? I currently use a master password with my Yubikey as the Webauthn 2FA for Bitwarden. I guess this along with passkeys for whatever accounts support it is as good as it gets? Just want to know whether the difference between keeping passkeys in your vault or on the Yubikey are worth thinking about? Thanks!
It sounds like you've got a good grasp of it. Bitwarden's passkey is a synchronised passkey, as opposed to the device-bound passkey on the YubiKey. It'll be stored in the vault and sync'd (presumably encrypted) to any device you have the Bitwarden app logged in on, along with the rest of your vault. Synchronised passkeys are more convenient than device-bound passkeys because you don't lose the key if you lose a specific device, but the flip side is they're not as secure. The fact that the private key cannot be extracted from a YubiKey is a by-design feature to protect it from theft by malware. With a synchronised passkey you don't need to steal a specific device, you just need to compromise a device with the key sync'd to it. You also have the chicken and egg problem of how do you log in to your vault if all of your passkeys are in the vault? If the answer is "something other than a passkey" then that becomes the weakest link for everything. If the answer is "a different device-bound passkey" then why do you need the vault? Personally, I use device-bound passkeys rather than synchronised ones, for the extra security. If it's a choice between a synchronised passkey and a password, the passkey wins, and that's really the battle they're trying to win.
@@ProTechShowGot you, thanks for the response! It’s slightly odd because if you use Webauthn 2FA for your Bitwarden account, but then also use a Yubikey for your passkey logins - what purpose does the bitwarden vault actually serve? If you need the Yubikey every time you log in to Bitwarden, surely you may as well do without using Bitwarden and use your Yubikey for your passkeys instead? Unless, on a device like your phone for example, you’re using face ID or fingerprint recognition in which case you may not always carry the Yubikey with you I suppose.
The only benefit I can see to keeping my Bitwarden vault at the moment is that not all of my accounts support passkeys, so I still need some passwords saved - I think once they do and i’m comfortable shifting to device bound passkeys, the vault will be redundant
@@y0Prsn I think it will be a very long time before no accounts have passwords, so the vault will be needed for a good while, yet. One thing I've found it useful for is recording where I've used device-bound passkeys. The problem with device-bound keys is that if you lose the device you need to revoke it from each account and replace it with a new key. I use Bitwarden's custom field feature to record which keys have been used on which accounts, so if I need to replace one I can do a quick search to find out where.
I'll be honest - I never liked the concept of factors. If you take a TOTP secret and memorize it - is it still a possession factor? Why is it that because you record it in a computer it suddenly becomes a possession factor? If you recorded the same secret in a notebook you carry with you, is it still a possession factor or simply an extension of your mind?
Yeah, they rely on you using them as intended. If you write down the TOTP secret or print a certificate's private key on a t-shirt you've defeated the point of it. At the end of the day they all end up as ones and zeros somewhere along the way so you could always misuse it, although you'd only be harming your own security.
I think the reason for TOTP is so you add typing in numbers (hash of secrets) that change every 30 seconds so if someone intercepts it, the secrets are still safe.
I think if you printed the QR code / TOTP secret text and put it into a safe or lockbox, then that would be irrelevant in terms of factors - the copy on your phone would be a possession factor. But even if you somehow memorize the secret, you'll still have to type it into an app that is capable of giving you the code, right? So that would still be possession. No one would expect someone else to have memorized the secret, so even if you're tied up & being threatened with a wrench (xkcd readers know), you're more likely to have someone demand that you unlock your phone to get the details rather than demand the info.
@@dav1dwthat is indeed the reason, but the OP is suggesting that an attacker who is able to convince them to give up their password AND the secret behind their TOTP token will be able to get into the account.
@@Ck87JF The extra analogy you give (if I'm interpreting it right) of having multiple copies of the same secret only reinforces my disdain for all the "factor" language. Because as you rightly point out - a TOTP secret in your head can be a knowledge factor but the same TOTP secret in your phone is a possession factor. Security is about the weakest link, and I'd argue (for xkcd reasons) the knowledge factor is the weakest of all. Regarding the algorithm part of the equation, sure you must combine the secret with the functions to output the OTP. But that's not much different from locally combining a passphrase with some salt, hashing it, and then completing the "proof of knowledge" without handing over the knowledge factor itself. Or any other similar challenge-response protocol for that matter. Back to my thesis point - the "factors" suck because in the universe in which we live, *everything* can be considered information.
You will cry if when you have to switch phones using Google Authentication. I lost all my codes because Google Auth doesn't restore the codes when restoring. Unless they've added the feature since. This is why I stopped using Google's. Once you get a new phone and you do a restore, it will ONLY restore the app, but not the codes...be very careful.
Google Authenticator now allows you to store you secrets in the cloud, but you have to enable it. But, I just switched to 2FA and it's so much better. The great feature is on your phone, you have the option to lock it with biometric or pin. So that's another layer of security. @@mr.boniato6402
Bitwarden also allows the option to auto copy the OTP code so you just have to paste it into the OTP field. Again, security trade offs. But let’s be honest, getting my family to voluntarily use MFA is pretty much impossible. It took years to get them to use a password manager. When I showed them all they had to do was paste the OTP code they thought that was cool. This is far better than them not using MFA at all.
The fact you've managed to get your family to use a password manager at all is impressive. I'm still fighting that battle.
@@ProTechShow It was until my daughter got her Instagram account hacked. No better way to get a young lady’s attention about passwords! 🤣. Still, after getting her and everybody else on Bitwarden I had to turn on all the “easy” settings that many would say lessens the security. But it’s still WAY better than reusing easy to guess passwords on all their accounts. Now that they’ve been using it for a couple years, they’ll all tell you it’s easier because FaceId enters passwords for them and being able to copy/paste OTP codes makes it simple.
I appreciate you explaining the passport metaphor and also walking through the "eggs in one basket" scenarios toward the end.
Both elements had me hesitant to put tokens into Bitwarden, but you make great points that unless your cousin from abroad is holding your MFA, there's going to be eggs in one basket in almost any scenario. And then it's gonna be fun getting your cousin to give up a code when they're busy or asleep... 😅
I'm already using Bitwarden to store tokens for shared accounts as well as accounts I don't super care about, but I'll have to consider whether I want to migrate everything to it, especially since I'm not totally happy with my current MFA app.
Your point is very good and first time hearing of this logic. I tend to agree and having the 2FA in bitwarden makes it that much easier to use TOTP. If that is the line to have someone start using TOTP or not, it's well worth storing it in bitwarden.
rather than throwing everything into 1 basket, would be advice to use different app for OTP and bitwarden for password and passkey
Off course Bitwarden can also have additional security more than just a password, so even if somebody knew your BW password they would also need to be using your device otherwise they would get hit with a 2FA on first attempt to login.
I agree. There are three main scenarios most average people are in; 1. using no pw manager and crappy short, reused and leaked passwords with MFA on their phone. 2. Using a pw manager with long, random, unique passwords per site and MFA on their phone. 3. Same as 2 but the MFA is also in their pw manager. The security gulf between 1 and 2 is vast compared to 2 and 3. Most passwords are leaked by sites losing their database (and the password either being short and easily brute forced, or stored by the site in plain text). All 3 of the scenarios save you from that situation, but scenario 3 in my opinion has the best convenience/security ratio.
After the LastPass fiasco, I refuse to put all my eggs in one password manager basket.
Exactly. I use Horcrux, double blind passwords for this reason.
LastPass' problem was that they weren't encrypting every bit of user created data, so databases had stuff stored in clear text. Also, I'm not sure where LP falls on this scale, but Bitwarden uses end to end encryption meaning that they cannot see any data you've created, including metadata. That said, it's certainly a reasonable idea to have two separate apps to manage the two keys to your sites.
@@Ck87JF Not encrypting everything in the vault was one LastPass failure. The other more serious failure was that they left some early customers with inadequate encryption strength, making their vaults vulnerable to brute force attack.
Oh very nice. It is a fresh take on this matter. Well done. Thanks!
Thank you!
Hey mate, am I able to clarify something with you on the whole Bitwarden/passkeys feature?
When first using the passkey option on a site (say Microsoft for example), the Bitwarden pop up will appear saying, “Save passkey as new login”.
Now as far as I am aware, this is different from using a YubiKey for the passkey where it is stored on the YubiKey only. When using the Bitwarden option to have the passkey stored in your vault, where is the private key being generated and where else is it being stored? Or is it only being stored in the bitwarden vault?
I was thinking that there may potentially be a risk with this if the private key is stored on your machine locally as well as your vault should your PC get hacked etc. This might not be as big of an issue as I think though so interested to hear your thoughts.
Also, on this topic, what are your recommended settings for Bitwarden and security/2fa etc?
I currently use a master password with my Yubikey as the Webauthn 2FA for Bitwarden. I guess this along with passkeys for whatever accounts support it is as good as it gets? Just want to know whether the difference between keeping passkeys in your vault or on the Yubikey are worth thinking about?
Thanks!
It sounds like you've got a good grasp of it. Bitwarden's passkey is a synchronised passkey, as opposed to the device-bound passkey on the YubiKey. It'll be stored in the vault and sync'd (presumably encrypted) to any device you have the Bitwarden app logged in on, along with the rest of your vault.
Synchronised passkeys are more convenient than device-bound passkeys because you don't lose the key if you lose a specific device, but the flip side is they're not as secure. The fact that the private key cannot be extracted from a YubiKey is a by-design feature to protect it from theft by malware. With a synchronised passkey you don't need to steal a specific device, you just need to compromise a device with the key sync'd to it. You also have the chicken and egg problem of how do you log in to your vault if all of your passkeys are in the vault? If the answer is "something other than a passkey" then that becomes the weakest link for everything. If the answer is "a different device-bound passkey" then why do you need the vault?
Personally, I use device-bound passkeys rather than synchronised ones, for the extra security. If it's a choice between a synchronised passkey and a password, the passkey wins, and that's really the battle they're trying to win.
@@ProTechShowGot you, thanks for the response!
It’s slightly odd because if you use Webauthn 2FA for your Bitwarden account, but then also use a Yubikey for your passkey logins - what purpose does the bitwarden vault actually serve?
If you need the Yubikey every time you log in to Bitwarden, surely you may as well do without using Bitwarden and use your Yubikey for your passkeys instead?
Unless, on a device like your phone for example, you’re using face ID or fingerprint recognition in which case you may not always carry the Yubikey with you I suppose.
The only benefit I can see to keeping my Bitwarden vault at the moment is that not all of my accounts support passkeys, so I still need some passwords saved - I think once they do and i’m comfortable shifting to device bound passkeys, the vault will be redundant
@@y0Prsn I think it will be a very long time before no accounts have passwords, so the vault will be needed for a good while, yet.
One thing I've found it useful for is recording where I've used device-bound passkeys. The problem with device-bound keys is that if you lose the device you need to revoke it from each account and replace it with a new key. I use Bitwarden's custom field feature to record which keys have been used on which accounts, so if I need to replace one I can do a quick search to find out where.
haha very good rationale. Never thought in this way
Thanks. The airport analogy helps me visualise it. Hopefully it makes sense to others as well!
I'll be honest - I never liked the concept of factors. If you take a TOTP secret and memorize it - is it still a possession factor? Why is it that because you record it in a computer it suddenly becomes a possession factor? If you recorded the same secret in a notebook you carry with you, is it still a possession factor or simply an extension of your mind?
Yeah, they rely on you using them as intended. If you write down the TOTP secret or print a certificate's private key on a t-shirt you've defeated the point of it. At the end of the day they all end up as ones and zeros somewhere along the way so you could always misuse it, although you'd only be harming your own security.
I think the reason for TOTP is so you add typing in numbers (hash of secrets) that change every 30 seconds so if someone intercepts it, the secrets are still safe.
I think if you printed the QR code / TOTP secret text and put it into a safe or lockbox, then that would be irrelevant in terms of factors - the copy on your phone would be a possession factor. But even if you somehow memorize the secret, you'll still have to type it into an app that is capable of giving you the code, right? So that would still be possession. No one would expect someone else to have memorized the secret, so even if you're tied up & being threatened with a wrench (xkcd readers know), you're more likely to have someone demand that you unlock your phone to get the details rather than demand the info.
@@dav1dwthat is indeed the reason, but the OP is suggesting that an attacker who is able to convince them to give up their password AND the secret behind their TOTP token will be able to get into the account.
@@Ck87JF The extra analogy you give (if I'm interpreting it right) of having multiple copies of the same secret only reinforces my disdain for all the "factor" language. Because as you rightly point out - a TOTP secret in your head can be a knowledge factor but the same TOTP secret in your phone is a possession factor. Security is about the weakest link, and I'd argue (for xkcd reasons) the knowledge factor is the weakest of all.
Regarding the algorithm part of the equation, sure you must combine the secret with the functions to output the OTP. But that's not much different from locally combining a passphrase with some salt, hashing it, and then completing the "proof of knowledge" without handing over the knowledge factor itself. Or any other similar challenge-response protocol for that matter.
Back to my thesis point - the "factors" suck because in the universe in which we live, *everything* can be considered information.
I've thought a lot about this feature but it's really very convenient. I use Google authentication and bitwarden in parallel, so the risk is of course
Yes, there's an extra layer to it when you think of that... passport for a passport...
You will cry if when you have to switch phones using Google Authentication. I lost all my codes because Google Auth doesn't restore the codes when restoring. Unless they've added the feature since. This is why I stopped using Google's. Once you get a new phone and you do a restore, it will ONLY restore the app, but not the codes...be very careful.
Google Authenticator now allows you to store you secrets in the cloud, but you have to enable it. But, I just switched to 2FA and it's so much better. The great feature is on your phone, you have the option to lock it with biometric or pin. So that's another layer of security. @@mr.boniato6402
@@mr.boniato6402 Google Auth now syncs your codes to your google account.
@@mr.boniato6402 Aegis is awesome and open source. Available on the F-Droid store also.
use BW on PC, and use aegis on androdi phone. this is more safe, by feeling.
I'm sorry. I got the passport analogy but I still didn't get most of the video.
Hello from Belfast!
Hello from not Belfast, although I was there a few weeks ago!
Always a balancing act 😂
Always!