What's your best 2FA strategy to avoid a lockout?

User Research User Studies
3

I agree with @grb. So, only minor additions:

  • to remind of “the usual”: put at least your BW email address, master password, 2FA recovery code, maybe server region on your emergency sheet(s) – optional: login credentials to your BW email address (especially if you have the New Device Login Protection enabled)

    • PS: maybe also include scenarios, where you might have an accident (or worse) and your family etc. might need access (–> up to “digital legacy”)

  • use FIDO2-2FA-”passkeys” if possible – with at least one backup (e.g. one backup hardware security key in a safe place)

  • decide for yourself if you want to use more than one 2FA method (to avoid a lockout) or use only one 2FA method (to make it more secure)

  • if you use TOTP/authenticator app: put that authenticator key / TOTP seed code also on your emergency sheet, so that you can set it up easily again, if necessary

  • test your scenario – and check it for possible “circular dependencies” –> especially ask yourself, if you could still login to your Bitwarden account/vault, if you had nothing in your hands but your emergency sheet (and obviously, make sure you have emergency sheet(s) )

    • example: if you used email-2FA and realize, you couldn’t login to your email account with just the emergency sheet, then you have to change something with your setup

  • in theory, a “login-with-passkey”-passkey would also be a nice “backup login method” – but only when they can be used for all BW apps and when they get the ability to authorize all actions and could really “replace” the master password (and 2FA)

 

(Further) remarks for Bitwarden :wink: :

3 Likes