2FA questions

OK - newish user and I have questions about 2FA.
My wife and I both use my desktop W10 PC and also my W10 laptop (we both use the same user logon) and both of us have cell phones that we might use to login to various sites as well. We have a common MS Outlook 2007 email that both of us use installed on the desktop PC and each of us use unique hotmail email accounts. btw, I have BW installed on my PC, MY cellphone only, and the laptop PC.
I’ve read briefly about Yubikey and 2FA, and Authy, but still don’t really understand how/where to use it and whether it would work well for us.
Some sites we use - like our credit union for example, send a numeric code to our email or cell phones. Some websites (but not all) let us register multiple phone numbers and email addresses so we can choose at logon-time where the numeric code is sent to by the website. For some websites, (like our credit union) that additional security seems to now be required. That works OK for us but I’ve read that it is not all that secure anymore (SMS or email codes).
But it looks like most websites do not use anything more than userid and password.
Let’s say that my wife is out shopping and I am on the road elsewhere. With Yubikey, only one of us would have the Yubikey device, so I assume that the other of us would be unable to login - correct?
What about with other 2FA methods - is there a good way to solve this problem?
And is Yubikey and other methods only good for some small number of websites? If that is true, how do I know what websites out of the dozens or hundreds that we access would use our 2FA method?
I just have no understanding of how I could implement higher security with any comfort that I would not just create a mess.

Hi @cwr64 great questions, it’s always better to try and think of possible scenarios prior to getting things going so you’ve got a game plan and don’t get sidelined by something unexpected. I’ll try to answer your concerns as best as possible.

You noted here that SMS or email may not be the best

SMS can be considered less secure, due to the possibly of you changing a number and forgetting to change 2FA, or a SIM swap attack. While rare, if you are a “juicy” enough target someone really wants to compromise your phone they may be able to perform some type of spear-phishing attack, and social engineer there way to getting your phone carrier to “swap” your SIM card with another valid SIM, thus allowing them access to your SMS 2FA.
While SMS 2FA is generally considered less secure, any 2FA is better than no 2FA in my opinion.

Email would only be as secure of a channel as your email service itself is. If you already have a long, strong, unique passphrase for your email login + 2FA then I would consider this generally secure enough for temporary 2FA codes.
Email is generally not considered secure enough for the transmission of long-term sensitive information as while email can be encrypted in transit, generally this can be routed through multiple networks, be stored on unencrypted storage pools at rest, etc. So while someone might use Bitwarden Send to transmit sensitive information, email would not be a good method for this.

Security is a tipping scale between security on one side and convenience on the other, you have to find the right balance for your personal risk and comfort level.

Unfortunately this is true and not many sites support or require 2FA, though just using a password manager and unique passwords for each login helps this issue and still is the best secure option for these case.

If you have shared accounts you can also share these in Bitwarden with a free two person Organization between yourselves if you have separate individual Bitwarden accounts.

Majority of sites that do support 2FA typically support them in the order of SMS → email → TOTP → hardware token.
Yubikeys can work with a multitude of protocols depending on the model you purchase, I haven’t looked much into them myself as of yet but from what I understand can support TOTP codes as well as simply being a hardware token type “key” for your 2FA with U2F and FIDO
Authy is a type of TOTP 2FA app, you download to a smartphone and this authenticator app will scan a QR code or enter a TOTP secret seed and will provide typically a 6-digit revolving code which will change depending on the time, typically every 30 seconds.
Authy can automatically backup and sync these 2FA TOTP codes between multiple phones and computers if you choose. There are also several other authenticator apps that will do similar, and Bitwarden also supports TOTP code generation with a premium account.

Whatever you do I would also recommend some type of backups, if you use TOTP get an authenticator that will backup your codes, some people even go so far as to save the QR codes in a secure location.
If you are offered recovery codes from the website after turning on 2FA, make sure you record these recovery codes and keep them in a safe place.
If you use yubikey get at least an extra as a backup.
Always plan, “How can I get back in to my accounts in the event I lose my phone/2FA device etc.”

Unfortunately here and elsewhere I have seen too many Help / Locked Out posts where something happened to someone’s 2FA method and info was not backed up or recovery codes were not recorded. Often times this proves impossible to bypass without contacting the support of the website directly and more often than not in truly well designed secure systems even system admins and support cannot help you to recover a lost account due to 2FA lockout.

Majority if not all sites that support Yubikey as a method of 2FA login will support the ability to add multiple Yubikeys, as mentioned with wanting to have a backup.
This would mean both you and your wife would have a personal Yubikey than can be registered as a hardware token on the shared login sites that use it, as well as register the backup key.
In the event one person loses their key the backup can be used, and if it is a shared login both keys can also be used interchangeably to login using 2FA.

Hope this information helps some and I was able to answer most of your questions, feel free to respond if there is anything further or if you would like more detail regarding anything specific I discussed.

Thank you for the info - a lot to think about and some of what may sound simple to you seems hazy to me - and I just won’t take action if I am uncertain. Having 2 Yubikeys would probably work for us as you said - but I, even having read some of the doco, am unsure. Are there only a few sites that honor Yubikey, or only a few that honor Authy? What about sites that do not honor Youbikey or Authy? And buying 2 Yubikeys is not inexpensive. And I still do not know how they work.
I do use BW (used LastPass until they got bought out) - isn’t that a form of 2FA ? So what would additional security be - 3FA?

Can be a lot for sure and I don’t mean to scare you from security with how much is out there.

I would recommend having some type of 2FA, as mentioned any 2FA is better than none, even SMS text for those that will only support that.

2FA is really MFA

Source: MFA (Multi-Factor Authentication) is authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

So 2FA is a subset of MFA and you may hear them being used interchangeably, 2FA would simply require 2 Factors of the required three. In many cases it is something you know (password), and something you have (phone, email access, or app for TOTP codes, Yubikey)

With that out of the way,

You are absolutely correct and I mean to say having 2 hardware tokens is good practice to have that backup, Yubikeys are generally considered the best for security but does have a cost associated with it as well as complexity.
You will need to ask yourself if that is something you believe is warranted at this time, again only you really know your personal risk tolerance and how much convenience you want to give up for security and visa versa.
It’s all about finding a happy middle ground where you feel comfortable and are doing your best to keep things safe. By using a password manager I would venture to say you are already ahead of the curb compared to ~70-80% internet users.

Typically most sites that support a hardware token like Yubikey will also support TOTP codes such as from Authy.
Majority of sites will also let you use multiple methods of 2FA or MFA options. So you can set up BOTH Authy and Yubikey on websites that allow, even email or SMS as a fallback.
Your 2FA security would only be as good as the weakest link. So Authy and Yubikey would be good, but adding SMS would mean even with Authy TOTP or Yubikey you would still be susceptible to a SIM swap attack

That being said more sites will support TOTP over Yubikey, but those that support Yubikey will generally support both Yubikey and backwatds to TOTP. It’s kind of like how every square is a rectangle but not all rectangles are squares.

Yubikeys are pretty interesting and to be fair I have not done enough reading to fully understand them myself but I will try. Generally they work as a hardware token to store a public/private key which is used as your 2FA. This works sort of like a digital lock and key with the Yubikey being a physical hardware key to provide a digital key token to authenticate you have the key you registered 2FA with.

Some Yubikey models also can store and generate the 6-digit TOTP codes similar to authenticator apps such as Authy does. This means that for those supported models of Yubikey if you purchased, it would support sites that only use TOTP, and those that can use Yubikey fully. This means you’ll only need a single (with a backup) solution to 2FA rather than having a Yubikey and a separate app like Authy.

That all being said, absolutely don’t feel like you need to purchase a Yubikey to stay safe or that you will need to spend money to be secure. If you feel comfortable with the security provided you can start out with something simple like Authy, it’s free to download and use. You can use it with multiple devices at once for the TOTP codes, and it can provide encrypted backups of your TOTP seeds so you have less of a chance this falls into the hands of bad guys.
You can use this with what you already have and if you decide you need or would like to change you can switch from Authy to Yubikey, but note this might also require you to reset 2FA on each login you need to change when switching.

Bitwarden does have a built in TOTP generator for login entries, this is similar to Authy and will provide the 6-digit code for 2FA.
There are multiple arguments for and against this though, but it can be great to secure accounts with 2FA that also need to be shared, such as streaming accounts, etc.

Again it all depends on your risk tolerance. Personally I trust in Bitwarden, but there is always a question of what happens if someone gets into my Bitwarden account?
If I have all my passwords and 2FA saved in Bitwarden someone could get into my Bitwarden and get access to everything, all eggs in one basket.

For some things like websites such as blogs, homelab testing, etc that are not important or need to be shared Bitwarden is a great choice for TOTP. As long as you have a good strong master password which has never been used anywhere else, and secure 2FA your vault is reasonably secure. For the more important accounts I use Authy for a dedicated app with backups for much more sensitive personal accounts such as for financial accounts etc. This provides me with a good balance of convenience being able to use BW as the go to for most things, while still giving me the peace of mind that in the worst case someone could not easily get into my most important accounts, while still only being only an extra step or two out of my way.
Convenience vs Security

Most websites would only require your password and one other type of 2FA method enabled. This is why 2FA can only be as secure as the weakest link.
If you have Authy and Yubikey on a website you will not need to verify with both, once you enter the password you will be offered one or the other. Usually Yubikey and then an option to change if needed to another 2FA method. If you enabled email or SMS for your 2FA as well and these got compromised someone might be able to get in with these even with Yubikey or Authy.

3FA would be simply considered the broader category of MFA. Could be a combination of multiple forms of authentication standards such as biometrics, password, and hardware token all at once but generally would not be something you see except for the most secure environments such a Gov bases, or large-scale datacenters.

I know this was quite a bit again but I hope this better details and breaks down some specifics on your questions. Again I hope that this doesn’t overwhelm you into thinking security is impossible. Start small and manageable, then work towards bettering things overtime to reach your goals.
As you change, your security posture may also change as well so being able to start somewhere, anywhere and then learning more as you go to realize where you are and where you want to be will help you get to your goals and better your security.

Best of luck,
Cheers :slight_smile: