Hello all.
After finally moving from LastPass, I’ve become perhaps a bit obsessed with increasing security of my online presence. Here’s where I could use some advice.
I am literally a grandma living in a rural area of the western US and my threat model leads with my own incompetence, i.e., losing my phone, misplacing my USB backup, failing to safely store my master password, etc. So I have my USB backup in a fire safe, I have a hard copy of the vault there as well. My passphrase is written out and safely stored. I have the emergency kit stored. I’ll work on storing a USB outside the home as well.
Here’s the issue I’m running into now. I want to make it easy for my husband to access these accounts if I should be unable to but he is, honestly, pretty computer illiterate. I take care of all the finances, insurance, bill pay, etc. etc. He jokes that he just hands out a piece of plastic and it magically gets paid and that is about the truth of it.
So as I’m trying to write up an instruction sheet, I’m realizing that this is going to be incredibly frustrating if he ever has to actually use it, especially since I’m putting 2FA on everything that allows it.
In the instructions, I have a hyperlink to the Bitwarden login and explain how to enter the unique email address and the 5 word passphrase but then it goes into using Aegis on the phone and I’m pretty sure that’s where I’ll lose him.
I plan to keep working on it but I guess what I’m asking is has anyone else come up with simple solutions for a similar issue? Would a Yubikey simplify the process for him? Anything else to share?
And thanks for reading this far. I appreciate any advice.
So far, you’re doing great! I would suggest that storing a copy of your emergency sheet outside your home would be of higher priority than storing a USB backup outside your home (the odds that Bitwarden’s cloud servers would disappear at the same time that the contents of your home are destroyed or absconded with is pretty slim – unless you live right next door to an Amazon Azure server farm).
And just to be sure, your emergency sheet does include your Bitwarden 2FA Recovery Code, right?
especially since I’m putting 2FA on everything that allows it.
In your case, I would strongly recommend that you use Bitwarden Authenticator as your 2FA for logins that are stored in Bitwarden. This makes it really easy to complete the TOTP, as you can use Ctrl+V (or Right-Click > Paste) to paste the TOTP code after you have autofilled the username & password. Bitwarden also recently implemented autofilling of the TOTP codes, but it only works on a few websites so far (nonetheless, as they improve on this feature, it would make it even easier to complete the 2FA challenge.
As far as the 2FA for your Bitwarden login, I would suggest either a Yubikey (e.g., a Yubikey Nano, which can be semi-permanently attached to your husband’s computer — assuming that the computer is reasonably secure and does not leave the house), or setting up DUO for him (which would allow a one-time code to be pushed to his cell phone by text).
As a final point, in a month or so, Bitwarden should be releasing support for using Passkeys to log in to Bitwarden (instead of the master password). This could be an opportunity to make it even easier to use Bitwarden for the technically disinclined.
Thank you for the encouragement and your comprehensive advice. I’ll look into switching to the BW 2FA instead of Aegis, which should simplify things. I do have recovery codes saved also on the emergency sheet; I’ll get a couple copies printed out and store them safely.
Based on some Reddit comments to this same question, I am shifting the focus from helping my husband learn all this to making sure he has someone (i.e. our kids) enabled to help him should the need arise. I’ve come to understand that it’s too much to expect and an unfair burden to leave for him when I do have other options.
Thanks again for the help…I’m enjoying learning more about BW and how it functions!
As a security professional, I can’t but say that I’m impressed by your concern for security. Security people just wish that all employee had this same concern for security !
You approach to involve your children is probably the easiest !
Can I also assume you told your husband never to open emails, and attachments from unknown sources? Or maybe he doesn’t use email at all - which is the safest approach…