Question about security best practices. I just recently recieved 3 Yubikeys and added them as FIDO2 keys in the 2FA section of Bitwarden. I still have my Authy app set up.
I’ve found the priority order of the 2FA methods and FIDO is well above authentication apps, but I’m curious - since ANY of the 2FA methods will work, is it a best practice to remove the authenticator app completely as a method? Or is it wise to keep that in the back pocket for 2FA?
Thanks!
Jack
Just pointing out that if you have the “2FA recovery code” then you have a backup so you have no need for a TOTP backup if you don’t want it.
Your 2FA is only as strong as your weakest link. Thus, to get the security benefits of FIDO2/Webauthn, you should disable all other forms of 2FA. If you’re new to Yubikeys, you could temporarily keep TOTP enabled, while you get used to the FIDO2 authentication process and build some confidence in this 2FA method; however, you should disable TOTP as soon as you feel comfortable letting go of the training wheels.
The only exception would be if you need to log in to Bitwarden on a client app or browser that does not support FIDO2 (e.g., the Desktop app for macOS or Linux). Even for those cases, if you have available a second client app that does support FIDO2, you could use Bitwarden Authenticator (on your logged in client) to create TOTP codes for logging in to Bitwarden through your macOS Desktop app, etc. — that would be somewhat more secure than Authy, because only someone with access to your Yubikeys could get your TOTP key.
Finally, as pointed out by @DoctorB, it is highly recommended that you print out your 2FA recovery code and store it in a secure location as an emergency backup (for example, you lose all of your keys, or some weird bug prevents Webauthn from working, etc.).
The back up codes are OTP, so following the logic of your 2FA is only as strong as your weakest link, is there no equivalence there?
The issue I’m getting at is that a “weird bug” leading to not being able to authenticate with U2F might be, say, during a very convincing phishing attack that has you fooled but not your UF2 key.
So the weakest point remains the human there perhaps and if you cannot authenticate with the U2F key, it’s time to stop what you’re doing and use another device for a fresh login attempt disconnected from the failed session, rather than grab your paper backup.
Just wondering if there really is harm in leaving a TOTP application associated as a more convenient than paper backup (which is also worth having) provided it’s used in disciplined manner (I.e. probably never, like the paper backup)?
Though Authy I think potentially has other issues, just meant Authenticator style apps in general.
Sorry if this is slight thread hijack, it’s just something I’ve been wondering because if you travel a lot, a paper backup in a fire safe the other side of the world could be an issue in an emergency, which is just the sort of time you could get locked out of your account (I.e. the worst possible time!).
This is exactly the kind of pro/con I was hoping to hear and learn from.
Thank you for all of this. I think I’ll take the “training wheels” approach for now and definetly will be printing out the backup codes.
Note: There are two ways to set up Yubikeys. Yubikey OTP and FIDO2/WebAuthn. One strategy is to set up both on your three keys. This will then allow you to default to WebAuthn on the browser extension and web vault and then fallback to the OTP on the desktop app where WebAuthn isn’t available.
I support the training wheels approach. Pace it based on your comfort. I took time to erase my other Authenticator apps. Now, I have removed Bitwarden TOTP code but I do use other TOTP codes which I place in both Bitwarden and on the Yubikey Authenticator app.
As long as you store the following safely and securely, you will be okay:
Removing your weakest link for 2FA is a best practice but only as long as you have a disaster recovery plan.
Can understand this approach, but this scenario relies on you having access to one of the keys or the backup codes and as such, the OTP from the Yubikey are not ‘backups’ but alternatives (I’m not saying you are saying differently, just trying to get it clear in my mind as much as anything).
A separate 2F using TOTP, in the case of not having access to either the backup codes or Yubikeys is truly a backup.
With my understanding being that the prime benefit to U2F keys is the phishing protection they offer, the safe thing to do would seem to be not to login via any method where U2F is not supported rather than to freely use OTP as an alternative to U2F (again not saying you are suggesting this, but it’s a plausible habit if you have both U2F and OTP on the same key).
The question I was getting at is really if you only used the TOTP authentication in a scenario where you lost the keys, not when you found the key to be non functional, why should that be eminently higher risk that using a paper based back up code?
As previous caveats; not withstanding risks associated with cloud backed up 2F solutions such as Authy.
Overall, I’m now starting to wonder how difficult it really would be just to laser print a backup OTP on to a military grade paper, cut it small and just carry that, and stop worrying about the whole issue.
Now, for all this consideration, storing OTP or TOTP key codes along with credentials in the same password vault? Yeah that seems like the better thing to worry about.
Yes, the Yubikey OTP is an alternative when WebAuth is not available, not the backup. In my case, it’s fallback. I only use it now because the desktop app doesn’t support webauthn for a reason I don’t understand. Once it does, I will likely remove it. Your rationale of not using the desktop app at all now to remove the need for the alternative OTP is sound.
I also agree that if you never use TOTP and it acts only as your disaster recovery option that it has high security; not as high as paper backup (or steel plates for extra measure 
stored in a safety deposit box).
Frankly, 2FA authenticator apps are already highly secure and those of us who are eliminating them from our workflow for more secure options (Yubikey OTP and then Yubikey WebAuthn) are verging on the paranoid, just geeking out, or are organized crime.
Backups are best kept offline line and stored securely, as noted at end of my post. I have three Yubikeys so it’s highly unlikely I’m going to lose two before I need to retrieve my third or retrieve my 2FA recovery code. I agree that storing a password and 2FA recovery code together is not prudent but do note that Bitwarden effectively does this with their integrated app.
Heck, split the 2FA code into three overlapping pieces (meaning any two will recreate your code), store in three separate safety deposit boxes, on different continents, well away from earthquake zones and civil unrest, and you’ll feel secure.
Let’s not forget in the crypto world where thievery abounds, that the greatest reason for loss is people ramping up their security so high and to such complexity that they lock themselves out from their seed and lose access to their crypto on the blockchain.
I agree - these aren’t things most of us need to worry about. I think TOTP codes in an authenticator and even, God forbid, vis SMS, are perfectly fine for most users who already use things like Face ID and malware/virus protection.
If you use a complex password, never reuse it, and use any form of 2FA, you are already well ahead of 99.9% of users and you have eliminated nearly all of your risks.
Thanks for this, what you’re saying makes sense and I think I’m overthinking it, most likely also overthinking my own self importance - as a John Doe there’s very little reason why anybody would want to make a concerted effort to gain access to any of my logins anyway.
Guess on the backup, I just always think in terms of the three copies, two mediums and one off-site rationale, so three keys is one backup at best in that sense.
I’ve got in a mess on 2F thinking how you back that up, which is a loop involving a password protected backup, which then needs a 2F because passwords being unsafe is why we have 2F…
Full disclosure; I’ve previously used LastPass so that’s got me rethinking a lot of this.
Think George W put it best:
“There’s an old saying in Tennessee — I know it’s in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can’t get fooled again.”
Words to live by.
If you’re going this far down the rabbit hole, you might as well use the Shamir algorithm for secret sharing (e.g., using Ian Coleman’s implementation).
This (that?) is going to be hard to resist…
Coupled with underground Swiss bank vaults.
Almost afraid to ask your thoughts on self hosting versus cloud vault storage (hides behind phone keyboard).
It’s going to involve a faraday cage isn’t it?
While you’re at it, record your Shamir split backup codes in a set of Cryptosteel capsules (in AISI 303/304 stainless steel) or Simbit wallets (in marine-grade AISI 316 stainless steel).
A must! If there is a flood or fire that breach’s the bank’s vault where the safety deposit boxes are stored, engraved steel plates are a must. I’m kind of annoyed that Bitwarden doesn’t ship them to Premium customers, to be honest. @bw-admin could you please look into this?
As for Shamir, I like this method as you always need to be prepared for an apocalypse where the internet may not be available to decrypt it:
Note the instructions to replicate it at home with your steel plate punch.
I’m not sold on these steel seed storage things; seems a novelty item to me.
Seems like those capsules would be tricky to deconstruct without dropping characters and losing the order of things.
On a moving train say, the difficulty would definitely go up a notch, but if you’re going to try to go ‘James Bond’ on it then you need to be prepared for that, or your steel capsules will be writing cheques your body can’t cash (with ensuing employment flying cargo planes full of rubber dog turds from Hong Kong).
Can you really unscrew those capsules post fire? Differential rates of expansion and cooling at sufficient temperatures would suggest not, but there’s bound to be YouTube nuts proving otherwise (why have I not checked this?).
Maybe if the fire is not more than ”double the average house fire” or whatever the claim is (half the time they seem to state it can withstand up to the temperature range in which the metal becomes molten!).
Also buying these things for delivery seems to be telling the world you’ve got onsite secret key storage.
Guess you could buy with cash from a store, but are those stores selling such things and such sales numerous enough not to be watched?
The waterproof paper thing, I guess works if you must have a proprietary solution, but why not just buy military spec paper?
That’s waterproof, laser printer compatible and available in desert tan or camo green.
Just think of the benefits afforded by camouflage! It could become practically invisible to the untrained eye!
If you’re concerned that could similarly attract unwanted attention, the same paper stock (alas in white only) is available just marketed as high quality laser paper (you would have to match spec obviously, not all paper stock is equal).
Buying a ream of that won’t attract attention, I would suggest, and could last you years.
Graphite pencil would be robust for marking, and then you put that in a fire resistance sleeve and then in a fire safe, because you’re going to do that with a steel wallet thing anyway if we’re honest.
The other thing is you could disguise the seed within a letter, general text or poem, making it unidentifiable as useful if somebody acquired it.
Copies disguised as such could be cheaply mailed to associates around the world for safe keeping.
That just seems the more robust, secure and cost effective method of seed storage, so that’s why my assessment (cynical yes) is that these things are nothing more than a cheap novelty that companies have sought to use to cash in on paranoid crypto enthusiasts.
I’m standing by to be convinced to the contrary though.