Here’s my plan for max security while not sacrificing convenience.
- I set up 2FA using FIDO2 WebAuthn with two older model Yubikeys (No other 2FA).
- I keep one Yubikey in my wallet.
- For all my devices (phone, table, Macbook, iMac), I choose Remember Me.
Thus I have the best security that will fail only if someone steals one of my devices.
Sound reasonable? Overkill?
Hey, just one technical aspect: you have to make sure, that the ‘older Yubikeys’ work with your devices. If your chosen Yubikeys don’t have NFC then you maybe at least need an adapter for the USB-A to UBS-C (I don’t know if there are adapters for Lightning / for the Apple devices?!)…
PS: Your plan sounds good to me. The other Yubikey should be in a safe place (like an actual “safe” at your home or something) - and make sure to safe the 2FA-recovery code as well (maybe in another safe location, real or digital), in the case of loosing access to your two Yubikeys. - One thing personally I’m not really sure about ist the “remember me” function on all devices… the old discussion - comfort versus security - I guess…
All the 2FA in the world is no good if you don’t have a high-entropy master password. Your Bitwarden master password should be a randomly generated passphrase containing at least 4 words that have been randomly selected from a list of at least 6000 words (with random selection done using a cryptographically secure pseudorandom number generator, or a true entropy sources such as dice rolls or coin tosses).
Furthermore, in addition to theft of your devices, you need to prevent others from temporarily accessing your devices while they are unattended (or by giving other people permission to use your devices), and you need rigorously defend against malware.
I appreciate the advice. I have a good master password. I understand about theft of and unattended devices.
Can you elaborate about “no good”? Let’s say my password were “password.” If I have possession of my 2fa key and devices, and no other factor set up, how could someone hack there way in?
Right. My thinking is that the Remember me function is worth the increase in convenience, since my tablets and computers are protected with good passwords and biometrics. I’m going to have a Yubikey connected to my wallet. Perhaps it will be simple enough to whip it out of my pocket and plug it in, and I won’t need to use Remember me. We’ll see.
Yes my recovery code is literally in a safe along with an export of all my current passwords on a thumb drive.
Okay, walk me through it.
Bob Hacker calls you, and says, “Hey, this is Steve in IT. Blah blah blah I need to know your Bitwarden password. What is it?”
You say, “It’s P-A-S-S-W-O-R-D.”
Bob Hacker has now successfully social engineered your password. So Bob tries to use your password to log in to Bitwarden on his computer. He enters your password, but Bitwarden will ask for the security key. He doesn’t have the physical key, so how can he log in?
They could steal an encrypted copy of your vault from one your devices or from bitwarden servers.
This last possibility is not very likely, but look at what happened to lastpass on the summer of 2022…
In case an encrypted copy of your vault falls in the wrong hands, the strength of your master password [*] is your last line of deffense.
[*] If your lock your vault with a pin and disable unlock with master password on device restart (which is not recommended), then your vault is written to your disk encrypted with your pin, not with your master password. If someone steals that file from your device, then the strength of that pin is what prevents that thief from getting into your vault.