After buying 4 security keys, i found authenicator is the single most important one

hi, as said in my other discussions,
that i wanna make my accounts protected by
username + passwd
AND 2FA
(authenicator OR security keys OR recovery codes) and i wanna ditch sms/email but indeep even google dont think so. they still keep your sms and email.

i use a samsung,
my aegis is inside the knox.
my bitwarden (contains no totp) is in the work profile.
so that even a hacker hack 1 profile, the he wont get BOTH UN+pwd // totp.

in the street, i almost never wanted to take out the wallet,
and i almost always use the totp, using fingerprint to logon.

at home, i however almost always use 1 of my 4 security keys.
unfortunately i still have to type the 6 code PIN of that key.
the security key solely saved me little time no need for the time consuming totp.

that’s it.

What does “authenticator” mean to you here? The Yubico Authenticator which you use with your security keys? The Bitwarden authenticator mobile? (you tagged that) Your Aegis?

I think, Google recently allows for SMS/email deletion. Though I don’t know, how complete then…

And we have to guess, what “use” means? (since e.g. YubiKeys could be used for FIDO2, U2F, Yubico OTP, TOTP, HOTP, Static Password etc. … and use for Bitwarden login? Use as 2FA for Bitwarden login? Use for logins to websites directly?)

If you write things that open for interpretation, I don’t know what you mean.

PS:

Do you mean 6-digit-TOTP codes - or are you talking about a 6-digit-FIDO-PIN of your security key?

This depends on the website you are logging in to, and whether you are using the security key for 2FA or for passwordless login.

Since you are comparing to TOTP (which cannot be used for passwordless login), I assume that you are discussing the use of a security key for 2FA.

On most websites (including your Bitwarden Web Vault account login), using a security key for 2FA does not require you to enter the security key PIN code. So I really don’t know what you’re talking about.

Personally, I find that using a hardware security key for 2FA is much more convenient (and much more secure) than using a TOTP authenticator.

this is what i use:
username,
password

aegis authenicator for totp

for security keys, if they are the cheap yubico security key, i have to use webauthn; if they are the yubico 5 series, they dont use webauthm but use the name yubico security key.

i never have interest in passkey (esp with yubico keys as they have limited spaces for that, 25 for old keys and 100 for newer keys, as i dont like limited; nor i will use passkey with bitwarden which could remove the biometric part)

i never use fancy things like what yubico authenicator which also take up space on the security key. bad idea.

anyway, my point is:

at the street, i never have the eager to bring up a physical security key, so on street i almost always use the aegis totp authenicator.

at home then i will use the security keys, which save me some time no need to do the totp thing.
however it still need the PIN which is reasonable (the only alternative is a biometric one which is expensive)

afair, when i use passkey on the yubicos, i also have to enter the PIN.
this PIN prevents someone taking my key and pretend to be me so i wont remove it, and only idiots will remove it.

Series 5 is certainly capable of using FIDO2/WebAuthn, which is superior to other 2FA protocols.

1 Like

Exactly.

And WebAuthn is one of the corner stones for passkeys as well.

yeah but i dont know why my yubico series 5 key use the yubico,

and the cheap yubico security key use the fido2 webauthn.

but my point is:

even you dare to remove email and sms,

you likely will keep totp AND seurity key AND recovery code for 2FA.

and on the street, the totp is indeed more prefered than taking out the physical key, which i put along /w my physical credit card.
the aegis totp app is just 1 finger touch away from me.

while at home,
use the physical key save some time, but not much,
as i still need to input the PIN of the physical key.

(no passkeys for me pls, they occoupy space on the key)
i am a poor guy who apply a lot of test drive accounts and save little money.
so limitied accounts for a key is not a solution to me.

Your Yubico series 5 uses Yubico OTP, because you set it up like that.

The series 5 is also fully capable of using FIDO2 WebAuthn - you just have to set it up like that.

And as I understand it, that is the better standard than using Yubico OTP.

That the series 5 supports Yubico OTP and the Yubico security keys don’t, doesn’t mean, Yubico OTP is better. It just means, that the cheaper Yubico security keys support less protocols than the series 5…

1 Like

@ccchan234 I agree with @Nail1684: Remove your Series 5 keys from the deprecated Yubico OTP protocol in Bitwarden’s 2FA setup, and then add them to the FIDO2/WebAuthn protocol, which is superior.

Regarding your main point:

Why are you logging in to your Bitwarden app “on the street”? There is usually no good reason to routinely log out of the app, so after logging in once (at home, using your Yubikey with FIDO2/WebAuthn as 2FA), just keep the app logged in (but locked when not in use — in the app settings, set the “Vault Timeout” action to “Lock” instead of “Log out”). Then, you will not need 2FA when unlocking; in fact, you can even set up the app so that the vault can be unlocked using biometrics.

Also:

This is not required when using the Yubikey as 2FA for Bitwarden. Perhaps other websites require the PIN to be entered, but not Bitwarden.

1 Like
  1. my samsung have personal, work and knox profiles, bitwarden app dont always show up correclty. afaik the auto fill in only occured recently?

  2. i have already setup bitwarden app using biometrics. thx

And have you changed your YubiKey 5 keys to FIDO2 WebAuthn as 2FA for Bitwarden?

i will have to do some research first before that, thank you.

@ccchan234 Do that. But remember, FIDO2 is the most secure protocol here. And the YubiKey 5 absoluetely can do that.