Is it possible to safe each password with a 2FA Key like yubikey?
I am looking for an alternative for Trezor Password Manager which is being discontinued.
There it was so that each password request must be confirmed additionally on the hardware device.
Exactly such a system I am looking for.
I hope you can help me
Is it really the same security?
As it sounds to me, with the master password + 2FA key all passwords are decrypted and are therefore copyable for a possible attacker. However, if each password is decrypted individually, it would only be possible for the attacker to copy each password that I decrypt.
Or where am I wrong?
@Pho - First, 2FA is used for authentication, not encryption.
Second, what is your threat model? The only way for an attacker to copy passwords out of your vault is if you allow them to have full access to your computer (either physical access, or by allowing the installation of malware) while the computer is running, unlocked, with your vault unlocked. Perhaps an easier solution is to try to avoid such a situation.
It actually would be technically possible (in fact, each individual field in your vault items is stored as its own encrypted cipher-string). However, this would make working with the vault more cumbersome, and it would be difficult (perhaps impossible) to implement features such as searching and auto-filling.
What are you trying to achieve? Are you trying to create an identical solution to Trezor password manager? If so, it’s not possible as it’s a different security model. For example, Trezor PM is also dependent on a user’s individual Dropbox account for vault security. On its face, while the Trezor approach of approving on the device each password use (identical to crypto cold wallet transactions) is neat, I’m not sure if it’s practical for a cloud-based, centralized password manager. I’m not even sure if it’s necessary.
What’s your threat model? State actor? (you’re already owned) NFT/crypto thieves? (you stand a chance but don’t keep seeds in password managers ever) Malware/keyloggers? (you’re already owned) Your ex wife? (you’re already owned). This will help us understand if a password manager like Bitwarden is appropriate. If you use a long passphrase with a little salt that you never keep electronically, a hardware security key (you must keep a printed copy of the Bitwarden 2FA recovery key), KDF of 600k+, and you export an encrypted version of your vault that you keep offline on a usb key, you have a very secure vault and redundancy. If your threat model proves this isn’t sufficient, I suspect you shouldn’t be using cloud-based storage, which also means the Trezor>Dropbox approach wasn’t appropriate. You also have the option of a password manager like KeepassXC if you want to keep everything local and/or only on your personal cloud service. A notebook and pen may be your most secure approach (not withstanding ex wife).