I would like the following scheme for my personal security needs.
Bitwarden would generate all my OTPs. But what about when I need to sign into Bitwarden? In this case I would like the OTP to be sent via SMS.
I saw one of the 2FA options (DUO) allows for SMS OTPs but that’s only available with premium Bitwarden. I decided to buy premium to give it a shot. However I was disappointed to learn that DUO requires it’s own account and also costs money.
Is there any way to get Bitwarden to SMS OTPs to me? If not would it be something the developers would consider?
My concern is as follows. Let’s say I move all my OTPs from Authy to Bitwarden as I desired. Obviously I can’t put Bitwarden’s 2FA into Bitwarden itself, so I guess I’ll leave that in Authy. On the regular I now only use Bitwarden, but over time maybe I forget my Authy credentials. In this case say my main devices crash/get stolen/lost in a fire. I get a new device and want to sign in. I will no longer be able to sign into Authy (or may not even remember what the name of that other 2FA app I used to use was). I can’t login to my emails because they are all 2FA’d and I need to sign into Bitwarden to get the code. And I can’t sign in to Bitwarden because I need to get into my email or Authy in order to get the OTP.
The one thing I generally feel I’ll always have access to is my phone number. Having Bitwarden SMS me the OTP code seems like the best solution to me.
How do other people do this? What are your thoughts on the matter?
I think that relying on a phone is dubious. They are controlled by the phone company not you.
Two things to consider:
don’t remember your credentials, store them (securely) in more than one place
you can register several devices with Authy. As long as one is still available you can use that to authorise adding another device, so when you get your new phone you can authorise it.
Lastly, you can use Duo for free, though there is a limit of IIRC 50 logins for the free account.
Thanks for those recommendations, however I feel those options would essentially just replace Authy. I want some way of Bitwarden sending me it’s OTP so I don’t need any OTP generator other than Bitwarden itself.
You make a great point, but I’m not sure how to “store credentials securely”. Maybe this is a problem of acumen or that I don’t trust some of the people I live with. I do have Authy on several devices, and I’ve also had the experience where I’ve gone travelling with only one device only to find myself signed out of my OTP generator and then being stuck unable to access any of my accounts at all.
You concern about the “phone company” controls my phone is concerning to me and I’d love to learn more. I bought my phone directly from the Google store, so it’s not locked, and I only installed the bare minimum app from my phone service provider so I can check my phone bills and ensured that it has only the bare minimum permissions. Should I care if they read my OTPs? It doesn’t give them access to anything on it’s own. As long as the OTPs are delivered I would say that serves the purpose here.
The free DUO account is interesting. I’ll have to look into that.
@danmullen That sounds like good advice, and probably the way I’m leaning.
I guess I’m confused why everyone is so concerned about the security of SMS. I thought one of the ideas of OTP was that you could send them over insecure channels. Since they are one-time use, they will be useless as soon as I use them, no?
Yes, but imagine if a malicious actor managed to perform a SIM swap where they could take control of your number. You hear about this sort of thing quite often.
That makes sense, but said actor would then also need to brute-force or already know my password. I guess SMS would be bad if I’m being specifically targetted. I guess I’m more concerned about the recent slew of dark web password dumps that have come out.
Still I suspect what you say is correct. I should just use Authy and duplicate my OTPs to Bitwarden. I guess it’s a fantasy to want it all in one place.
That is not correct. You can also use DUO free. That is what I am doing since some years. Here is the “How to use it”:
About protecting Bitwarden. I use 3 different 2FA methods for this purpose:
DUO free
Authy
Yubikey
By doing this I get into Bitwarden even if 2 out of these 3 methods - for whatever reason - are not available. Furthermore: I create a weekly backup. So even if none of these methods work anymore I have access to my credentials with the exception of those that were changed after the lastest backup was created.
I would advise you to reconsider using SMS. There are several ways of getting hack.
They can break into your carrier account and do it.
They can call up your carrier, tell them that you have change phones and convince the operator that they are you using social engineering. For example, some places use security question which can be guessed. I have a PIN setup to prevent this.
They can bypass the PIN by using a inside job (internal employee) or fake ID.
SMS messages are unencrypted and passes through gateway, which may have bad security.
If you are worry that you will forget your Authy password. Copy it to a usb key or paper and store it somewhere physically secure. Just remember the one place you put it.
Not true. An attacker can take over your phone number by other methods as listed by paulsiu.
Edit: I thought you were referring to the password for your phone number, not your Bitwarden password. I agree that an attacker against your Bitwarden account would need your Bitwarden password.
My statement is that if a malicious actor steals my number with the intent of accessing my Bitwarden they would still need my password to do so. Them stealing my phone number/texts is a separate issue that I don’t see as affecting my Bitwarden security in a meaningful way.
Yes they would need your password, but password can be cracked and it could be compromised by a keylogger. Your security scheme is only as good as the weakest link, which would be your SMS. People’s master password in my opinion are often weaker than their website counterpart. The password on my website are often 40 characters long. My master password is not 40 characters long because I have to type it.
Sorry for the delay in replying, lots of things happening for me at the moment.
Others have answered most of the things you asked. As for storing credentials securely you need to decide which methods have the right balance of risk and survivability for you. Some options, in no particular order
print/write on paper and store somewhere reasonably safe from the most likely forms of attack which you face
put on a USB stick, preferably encrypted
put on a computer on your local network, preferably encrypted
store on a remote drive, definitely encrypted
use security keys (at least two), always keep one with you and do not keep all of the others in one building
The more methods you have the more survivable your setup is, though at the cost of having to keep more things up to date. The fewer methods you have the better the security, though in most cases this is not a big a change as many think.
I think the original poster ZeroSinner wants to use SMS. ZeroSinner feels that SMS is a good balance of security. Because most of the people on this forum then to be security conscious, most do not like the SMS idea. However, I think it’s up to the user to think about where they want to draw the line.
In the case of the OP, they are worry that they will lose the pin to the authenticator. We mentioned the different methods the OP can get around the like storing the key somewhere. However, it appears the OP has a physical security issue with possibly untrustworthy housemates, so perhaps paper copy would be out of the question.
There is no SMS option for 2fa for Bitwarden. The closest is email. If that is not good enough, perhaps ZeroSinner should consider using an authenticator with SMS recovery.
Do you mean bitwarden? If you are paying, you can use Bitwarden to store 2fa token. Keep in mind it is a premium paid feature. However, you cannot use Bitwarden to store 2fa for itself.