Hi,
1/ When you set an MFA via an an android software authentication or example or even in Bitwarden, say for “mama zone” or for a mail provider, I guess that you absolutely have to disable other ways of connection options, like the possibility to receive an SMS, correct? But on some sites it seems to be not doable ( “mama zone”, no?) , then the protection of MFA is useless. Am I wrong?
2/ Something else : if you lose you phone, where the authentication app is located, (say AEGIS), you can end with no options to connect if you own only one Android device, I imagine that you will have then to get another phone and to restore backups and so on. It’s quite complex and you have to be very well prepared for that kind of event.
It’s may be possible to set aegis under an android emulator on a Windows PC. Not simple at all.
And if you are traveling and that you lose your phone? will you have to get away from home with printed codes in your wallet? Wow. It seems that 2FA protection’s cost is quite heavy : Complications, problems, and a crucial anticipation. A lot of work, right?
Are you asking about using two-step login to authenticate (log in) to your Bitwarden account, or are you asking about 2FA for logging in to other websites (not Bitwarden)?
Hi grb, How are you doing? I didn’t come here for a long time.
I’m thinking about using 2FA on all the web stores and all the mails I use.
1/ It seems that once you has set up a 2FA Android app you mandatory have to eliminate ( if possible) all other ways of connecting. Or 2FA is useless. Or am I wrong.
2/ You have to anticipate the possible lost of your phone,
set up several devices with the authentication app ( behind an android emulator?), backup codes and QR Codes.
Quite a job.
What do you think?
I’ m now using totp inside BW, since yesterday, but thinking about switching to Aegys
If you set up one form of 2FA (e.g., TOTP codes), then it is generally advisable to disable less secure forms of 2FA (e.g., verification codes sent by SMS or email).
If you are concerned about what will happen if you lose the device that has your Aegis app, then perhaps you should just stick with the Bitwarden Authenticator.
My understanding is that people who use Aegis will use its automatic backup function, and combine it with another app (e.g., SyncThing) to store the backup data in the cloud. Then you will be able to download your backup from the cloud if you lose access to your Android device.
1/ It is important to have two ways into anything incase anything goes wrong. If enabling TOTP, you want to look to see if the website offers a “recovery code”, of which you ought to keep a copy. I put them in the notes section of my Bitwarden vault.
2/ Why would you want to maintain two apps? If you are concerned about the entire credential being in one place, consider peppering them. This works even for accounts without TOTP.
“travelling”:… This is where an emergency sheet comes into play. First call I’d place after getting my new phone is to my trusted emergency contact and have them read to me the stuff I need to login to Bitwarden. After that, it is lots of work, but easy sailing.
If you’re storing TOTP recovery codes in your Bitwarden vault, then you should definitely also put the TOTP seeds in the vault so that you can use Bitwarden’s integrated authenticator to generate (and auto-fill) the TOTP codes, which is much more convenient than messing with some third-party app.
In this case, you achieve redundancy by creating vault backups.
So, if you want to be efficient about security, using an authentication app you have to stop other ways available to connect to, say gmail, for example.
it means that you deliberatly close (if allowed buy Google) an emergency door. You decide that you want to access your account only through an otp code, and to forbid the sending of an SMS, correct?
it means that you have to be sure that the authentication app is and will be 100% reliable! How can you be sure of that? nobody knows what can happen in the future.
And you have to check your codes or and QR codes for the day where you have to use them after you lose your phone, for example.
it’s not a easy jump in my view!
I was thinking that it could be a good idea to enable two auth. apps by security, in case of.
All this is quite complicated in my view, even if I understand how it dos work. It may be risky, I think.
If it generates a valid code once, then it is working, which means:
The Authenticator Key (secret key, or seed) is correct.
The system clock is accurate (correct time).
The authenticator app is correctly calculating the TOTP code using the above two pieces of information.
So, as long as you are able to maintain a backup copy of the Authenticator Key (which is automatic if you create backups of your Bitwarden vault, assuming you have stored the Authenticator Key in the vault) and set the system clock of your device to be accurate (e.g., by syncing it to a time server), then any app which has correctly implemented the algorithm for computing TOTP codes can be used to produce the code required for your 2FA. There are many, many authenticator apps available (and even online TOTP calculators), so if your authenticator app is not “100% reliable”, then it is easy to switch to another option (if you have a copy of the Authenticator Key).
And in addition, if the service that you are logging in to (e.g., Gmail) offers a 2FA recovery code, then you should also store a copy of that code (in a secure location). This can allow you to restore access to your account in case the copy of the secret key that was stored on the server somehow becomes corrupted.
I don’t understand what you mean by this. If you are using Bitwarden’s integrated authenticator app, then just log in to Bitwarden on any other device, and access your TOTP codes directly. The only thing that could cause the codes not to work would be if the new device has an inaccurate system clock (which is normally easy to fix).