I use those emergency sheets to keep my Bitwarden authentication safe, the problem is that these effectively break 2FA, it turns into a single “something you have” which is that sheet.
For a while, I bought little envelopes to put them in that I could glue and sign, so if it was ever tinkered with, I could tell. Someone couldn’t just take a photo (well, not a simple one, maybe with XRay ) and leave.
For a while I also had my password at home (because family getting it is less worrying than e.g. the cops, that could potentially coordinate with a cloud provider to get my vault) and then my recovery key with me, to at least decentralize that “something you have”.
I’m wondering if anyone does anything that might be interesting or even thought about the physical security of such thing.
At least “something you have” is somewhat secure. Unlike something you know or are.
That is also a good practice, called “secret splitting” or “secret sharing”.
A form of secret sharing that may give you comfort is the so-called Shamir’s Secret Sharing (SSS) method. This splits your secret (e.g., your emergency sheet information) into a user-specified number of “shares”, each of which is encrypted (and therefore protected from prying eyes). The cleverness of this method lies in the fact that there is no decryption key or password — to decode the encrypted shares, one simply enters a (user-specified) number of shares into a decryption algorithm, which allows the original secret to be recovered. You can specify that all shares must be present to allow decryption, or require only some subset of the shares that were originally created (which is useful if you are worried that you may not be able to recover each and every share when you need to decrypt the secret).
There are several SSS encryption/decryption tools available online, some of which can be saved on your local device (to ensure that you will have the tool available for decryption purposes in the future, and to avoid having to worry about your data being sent to some internet server). Here is one that I recommend:
For example, you can combine any two of the following three encrypted shares to recover a sample emergency sheet:
Definitionally, A password is “something you know.” Even if you forget it, it is still considered “something you know”. And if you write it down, it is still considered “something you know”.
The three factors (“something you have/know/are”) are more about measuring credential diversity than literal meanings.
Well, that depends, as always, on your threat model (that is: your definition of “secure”).
If the risk you are considering is the loss of a credential (like forgetting a password), that risk is usually bigger with “something you have”.
Because that usually turns out to also be “something you can lose”.
People tend to concentrate too much on the risk of a bad actor gaining access to one’s vault and forget the other big risk: the legitimate owner losing access to his own vault.
This last risk is easy to mitigate with backups, but it’s there and should be taken into account.
Yes, but the point of 2FA is that you use 2FA when you login. Thats what you use. The only reason to use recovery sheet is that everything has gone wrong and it is a last effort to gain access to your account. You are not supposed to use recovery sheet / recovery code daily, so really, you ARE using 2FA all the way 99,99% of cases when you use Bitwarden.
Good idea, but it does not really protect them against compromise.
Make 2 sheets, one that has your account password and other that has the recovery code…then put those two papers in different locations.
Or make 2 sheets, that both have half of the password and half of the recovery code…then put those two papers in different locations.
Why bother? Simply store all credentials (including recovery codes, TOTP codes, other 2FA:s, passwords, everything) in KeePassXC. Then keep that database file encrypted with different password than your Bitwarden password is and even add a keyfile that is stored in usb-stick (hidden somewhere in your apartment)…also make a backup of that database and that keyfile somwhere else.
If all sites and services would use passkeys securely and allow users to customize to EXACTLY where and when and which one of them is used, you could make recovery of all your accounts much more simple: Simply use 1 passkey that allow access without 2FA:s to all your accounts and keep that 1 passkey (Yubikey or similiar) behind a good PIN and physical protection. Then, if you loose your password or 2FA:s for site/service X, simply pick up that passkey (Yubikey) and signin with that an reset everything. Again, now this is not possible, because sites and services are terrible in using passkeys.
) and leave.