Random thought. A possible vault protection 2FA decryption could be to use the OpenGPG keys to encrypt the resulting hash from the master password.
For example.
Hash the master password as normal
Use OpenGPG public key to encrypt the hash, possibly salted with some easier pass code. Optional because the private key should/may be protected by its own pass code.
Use OpenGPG private key plus optional pass code to decrypt the hash
This would allow the vault to be decrypted by either knowing the master password or having a Yubikey with the appropriate privatekey and possibly also knowing a shorter pass code. Of course, any changes to the master password would also require re-encrpyting with the public key.
Could also be an alternative to entering in a pin when locked.
The PIN does not need to be too long. I use only 8 unique (used nowhere else in my life) characters. Reasoning is that 5 incorrect attempts result in a complete logout of the vault, no exceptions. At that point a very long master password and U2F key are required for my stuff. The odds of hitting the correct PIN of 8 characters (alpha numeric) in 5 guesses is zero for all practical purposes.
I also feel like the Yubi keys are way more portable. In a pinch you could go to any computer quite easily and use the U2F key. Going to a foreign computer and needing to access a GPG key can be done but with more tedious requirements for access. I use GPG all the time so I would easily be able to accomplish what is needed but many newer users would be scrambling to make it all work.
The pin vault lockout is an online attack. For an offline attack, there are no limits. Anyway, load a kernel debugger and change that 5 attempt limit to a few billion. Just snapshot the the system state, if you fail, reset and try again until you win. The pin on a yubikey, or the like, generally has a hardware protection that prevents anyone from trying more than 3 times before the yubikey bricks itself and requires the yubikey to be reset and the private key re-assigned.
I find it ironic someone with the username @OpSec didn’t think of that. Kudos to you @Ben86 for laying it out.
Also ironically, I’m fairly certain you mean OpenPGP, not OpenGPG (threw me off a moment so I had to Google it to make sure I wasn’t missing something).
Anyways, I believe using YubiKeys could be a good approach and even a good backup for people. Then again, this could be a potential security concern as well if not required to test it every so often.
If I were to present it to someone as a “backup method” with “built-in security” that locks you out on fails, they’re going to be more likely to use a pattern, reuse a currently used PIN, or use relevant number (ex. address, special date, etc.) that they can easily remember long term, and thus be easier to crack if you know them. This tremendously increases the chances of gaining access to probably at least a 50% chance of success (if I had to guess, assuming 5 attempt lockout).
Now I know any of the real security conscious users would use something random, while less security conscious people are likely to end up writing it down somewhere or taking a picture, if not reusing a password or something memorable.
As much as I’d like to see YubiKeys utilized more in the field, I’m not sure if this is a good use case scenario. It would likely end up leaving a hole in your vault than provide a contingency.
The best method I could suggest would be to store your vault password in your vault, so if you’re signed into your vault on your phone or tablet you can unlock it with other methods (ex. fingerprint, facial, iris) and view it then. As far as long term recovery (for instance, say you got arrested or something and were unable to access it for a long period, or you lost your phone), that’s just going to be a matter of having good memory then. Perhaps try to recite it to yourself or note it down somewhere secure that others who may end up finding it would have no idea what it meant. I could go on, but that’s just a deep rabbit hole of a conversation.
We are both simply trying to help with an issue/proposal here. It was “nice” of you to correct us for the way we attempted to help. Yes I was concerning myself with online attacks against my vault. There is no way someone is gaining access to my vault offline. My master password is monstrous and even IF the Yubikey requirement in someway were to get bypassed, mathematics doesn’t lie. You will NOT get in. The comments are correct in that GPG/PGP would make an excellent toughening agent. I use GPG daily for communication so I am at home with it. Balance though — > is that the mainstay of users here likely have never used or truly researched the use of that form of encryption protocol. The BW software could be changed to be “rock ass hard” but I assure you that the masses would exit if they were forced to employ such methods exclusively. You cannot force folks who are not security freaks to do the things the three of us would gladly do if available. BW is a great option for casual users and it offers enough strength where the security freaks should know how to cover the squares some here simply will not cover. e.g. - have you ever tried getting your family to participate in using GPG for messages between you and them? Won’t happen will it? Same here!
I also don’t have concerns about long term access to my vault if I lose my Yubi’s, computer, Android, etc… IF you keep the recovery code safe it will work forever and is the “trump card” for universal access. Sleep well with it available and enjoy life!
Sure, but if you’re using the PIN to unlock on your computer, then you’re back at what @Ben86 said in that it can still be done. It doesn’t matter if your password is as long as the US constitution, if the pin is used for easier unlocking, it can be broken into.
Again, another attack vector if you have the data and need to break in. More backup methods, more ways in (for you and attackers).
The only downside to YubiKeys is they’re so rare to be found that if someone obtained one, chances are they could count on one hand the people they know that have them and go from there. Not that they’d know what to do with it or what it is, but if they do, they’re already ahead.
As far as the YubiKey and certs behind pins, I can say they are secure, but very easy to forget. I was testing out some things, maybe a month ago. I managed to remember my PIN and reset it, but the PUK I could not and now that part is locked out. Not the better of the two to forget. I didn’t have anything important on there I needed, but just to show how that can be a downfall as well. Sure, as a temporary solution/backup it can work out for doing what you need, but if I went another couple months and needed in it, chances are I would’ve locked both out (unless I reused a PIN, which is again, bad practice).
Bottom line, unless you have excellent long term memory, it’s a gamble these days. Might get lucky and get the best security for yourself that you’re able to, or you might be closer to average and either slack up on an area or shoot yourself in the foot.
Yeah, ignore that. My quick search to clarify myself was too quick and I didn’t realize they’re both a thing.
Your private key should be stored somewhere safe. The yubikey would just have the one on it. It would allow for you to either enter the master key or the much shorter pin+privatekey for convince. If you forget your pin, you can reset it and re-add your private key. Either way, you have a choice.
And between the pin and puk, you only get 6 tries. So it’s not like someone could steal your yubikey and trivially guess you pin.
If anything, having a large password encourages you to either leave BitWarden unlocked or to use a pin in the app. But unlike the yubikey, the pin in the app could potentially be attacked with a proper debugger.