What get exposed if a malicious actor knows my master password but not my 2FA?

I would like to know security implications if a malicious actor knows my master password but not my 2FA.
Does anything get exposed? If so, what does?

If your 2FA is a Yubikey, they still won’t be able to login because they would need the physical key to login. They would need physical access to your key.

If your 2FA is an TOTP, It’s still possible to brute force your way by trying the same 6 digit 2FA code constantly. However, this can take a very long time. The problem with using TOTP is that as another poster Yuri noted, that there is no notification that this is happening, other than your account locking out a lot.

If your 2FA is SMS and they know your phone number, they could call your cell phone provider and pretend to be you and take over your number, and then they would receive all of your sms messages. You could add a pin to the account, but often that may not be enough security to prevent porting.

The question is how much you are hunted. For most people, hacker will just give up after seeing that they have a 2FA because it’s not worth the time when easier target are available. However, if you are known to have a lot of bitcoin or money, or have something oddly valuable like a short name Instagram, you may want to use the more secure method.

So if my 2FA is a “Yubikey”, any hardwer device (eg a key provided by my bank), am I 100% sure?

Using as “TOTP”, “Google authenticar”, a code is generated every 30 seconds.

So a brute force, after 30 seconds, has to start all over again, because it no longer has the value of what was found in the previous 30 seconds?

Quite right?

Best Regards

Nothing is 100% sure, but this is very close to it.

Correct.

Some bonus info:

• Make sure to have more than just one 2FA option and make sure that all of them work! Having 3 Yubikeys is different from using more than one 2FA option.
• As you seem to be interested in a Yubikey I assume that you have Bitwarden premium, so also have a look at the free version of Duo.
• Before you start using Google Authenticator, also take a look at other apps like Authy or Aegis. All of them have advantages and disadvantages.
• If you have an Android phone, use Microsoft Teams on it and use it in an enterprise environment do NOT use the Microsoft Authenticator. Here are the details.

What wouldn’t 100% security give me with a Yubikey?

Is stealing the Yubikey the only way to open my safe?

How other options for 2FA should I still exclude SMS?

What other options do you recommend for 2FA?

I am trying Bitwarden in feee version.

Thank you!

It could break, you could loose it, someone could steal it.

The thief still would need both your username and your password. So the moment you realize it really was stolen and not just misplaced you could simply remove/replace the Yubikey:

image800×878 43 KB

Definitely. Compare the 2FA options with a chain. The weakest part will break 1st.

If possible get premium.
I do not want to recommend something but I can tell you what I have and use:
TOTP (via Authy), a Yubikey 5 NFC and (my favorite) Duo free.

A strong doubt:

using 2FA as options, for example
TOTP and Yubikey, don’t I create a weak point (TOTP, in that case), compared to using only one option like Yubikey?

Thanks so much!

I do not consider TOTP a weak point, otherwise I would not use it.
Diversity from my point of view is more important. Imagine you only have some Yubikeys and for whatever reason there is a software issue and they without warning cease to work.
That is why I use 3 different 2FA options.

For more details go here: Basics of two-factor authentication with Bitwarden | Bitwarden Blog

OK … I was thinking as an alternative to use the 32-character code that I got generated by Bitwarden in case I need to work off line or in case of lack of the 2FA option.

Thanks so much!

Pippo,
There is no 100% things in life, just degrees of it. A Yubikey is about as unhackable as you can get. I did see an article where someone hacked one, but they essentially had to have physical access to the key. Some day someone may find a way around it.

TOTP is 6 digit and have 000000 to 999999 or 1,000,000. Testing by a fellow community member Yuri indicate that you can enter 10 wrong choices before the account is locked for 30 seconds, but that is for each IP address. He indicated that you can use multiple IP can have multiple 10 attempts. If you have a bank of computers constantly hitting the same number over and over again, we may be able to hack the account after a long period of time. Bitwarden does not warned you if someone failed 2FA, so you may not know that this is happening. Basically, it’s secure, but maybe not if you have some government agency after you. In those case, maybe use Yubikey.

Pippo,

As for the weak point, Peter is correct that you should pay attention to the weakest. link. One of my complain about Last Pass Authenticator is that you have to give it a cellphone number for SMS recovery… This allow users to recover their 2FA if they screw up, but this is counterproductive. I wanted to use last pass authenticator because it is more secure than SMS, but if there is a backdoor way of bypassing it using SMS, then the original purpose is defeated.

This is why secondary options for recovery is bad. If you use a Yubikey but then use a TOTP for backup, hacker will just hack your TOTP instead of Yubikey. This is why people who use hardware key has a second hardware key for backup. If the first one is destroy, they use the second one to login, remove the old key and then add another key.

The weakest point is actually the human. A lot of vendors allow you to call some person on the phone and after answering some easy to guess question allow you to reset the account. I would worry about that more than someone hacking your 2FA by brute force. Hackers don’t usually use brute force because it’s time-consuming and not all that effective. They typically social engineering to trick people to give them the password.

I have a similar choice to make for a contract with my bank for internet banking (the access credentials I would enter in Bitwarden).

My bank offers three options for 2FA but I can only choose one:

Pop up to my smartphone;

TOTP generated by app provided by my bank;

Hardware key provided by my bank (in this case, I have to pay a monthly fee).

At this point, by analogy with what I have learned for Bitwarden,
should I choose the hardware key provided by my bank from among the aforementioned three options?

Thanks so much!

Pippo,
All of my banks only offer SMS for 2FA. As a workaround, I end up setting up a google voice account that I then protect with hardware key. Unfortunately some vendors don’t even allow that. Unless you are targeted, you should be fine with TOTP. A hacker will most likely use other method of logging in. I would check the following:

1. Does your bank have some sort of security question that can be used to recover your password. If yes, go in and update them to something that can’t be guess. For example they may ask “What high school did you graduate from?” Set it to something unrelated like “Pancake jelly fish 2058 is spaghetti odoule” or a generated password. Make sure you paste that into the note section of your bank’s account in bitwarden. Instead of attacking your TOTP, they will call your bank and ask them to reset your password.

2. Does it allow you to recover using SMS. A lot of the banks does not allow you to turn it off. I haven’t heard of anyone who got hacked because someone brute force their TOTP, but there are a good number of cases where someone went to the theft carrier and ported the cell phone number.

3. Does it allow you to recover by a phone call. This could be bad depending on implementation. The one that would be bad is if it leaves a message Answering machine and voice mail typically have terrible security, allowing someone to hack your answering machine/service and get the 2FA. Some implementation forces you to enter a response, which would be better.

4. Are there other recovery methods, test them out. I found that the account had a method where you can recover by entering your debit card number and then your user name and ssn. Yikes, you are now one wallet theft away from being hacked! To mitigate, I change the user name to something unrelated like cassowayBagel (just an example). Now they can’t guess the user name. Again since it’s hard to remember, change it in your password manager so you don’t forget.

On my pc and smartphone that I mainly use, is it always advisable, for safety, to keep the 2FA option enabled?

I noticed that after having enabled the 2FA option, with the first access to my pc or smartphone, I was also asked for the TOTP code but at the same time, for convenience, I enabled the option not to request the TOTP code for subsequent accesses.

What do you recommend?

Thanks so much!

According to Google’s research, TOTP is about 90% effective at reducing general account hacks but only 70% effective at reducing targeted account hacks. Security keys have so far been 100% effective.

Ben86
Do you have a link to that article? I would be very interested in reading it. 90% is actually not very good.

Pippo
Enabling a device to bypass 2FA is ok if the device itself is secure. I would review the list of devices to see if any were adding that were unknown. However, you can’t seemed to do this with Bitwarden though. It does not keep a list of trusted devices.

Doesn’t this type of hardware key from Unicredit bank offer the same protection as the Yubikey?

Quite right?

What are the differences?

Thanks so much!

Those are just hardware totp. They are not secure as yubikey

Are they comparable to TOTP smartphone apps or are TOTP apps more secure?

What are the differences compared to the TOTP smartphone apps?

Thanks so much!