Is it possible to disable the personal API key?
I do not use CLI Authentication and the API key seems like an unnecessary way into my vault.
My assumption is that the API key will allow account access with the
client_secret effectively bypassing otherwise strict MFA requirements.
Is this correct? Any suggestions to mitigate this?
I do use the API key for CLI. The client_id+client_secret allows operations to the vault that doesn’t require encryption/decryption, all without the 2FA. All operations requiring encryption/decryption require additionally the master password. There is no way to disable the client_id+client_secret access.
OTH, you can also look at it this way. In order to see your client_id+client_secret, you need to open you web vault (email, password, 2FA — or your biometric+your approval device+your trusted device+2FA), and then enter your master password yet again. This is the same as seeing your 2FA recovery code. If somebody can get this far into your vault, nothing is secret from them. Your strong 2FA method is useless because they can get to your 2FA recovery code. Remember that 2FA is used only for authentication, and not for encryption/decryption.
I am not clear how easy it is for BW the company to access the client_id+client_secret for your vault, but OTH, again the company would have to have access to some derivation of your 2FA recovery code. Same level of weakness/defense?
Thanks for the reply, this is what I was missing. Glad to know the id/secret alone are not sufficient to perform decryption operations.