It's not a matter of IF, it's a matter of WHEN.Īll of these precautions protect you from a "denial of service attack": perhaps I can't unlock your cell phone or decrypt your vault, but I might be able to really mess you up if I just smash the phone into pieces. There will be a day when someone will have to put your final affairs in order. While you are at it, consider putting the related information such as your email/master password, mobile carrier authentication secrets, and your Authy encryption password on those papers. Ideally print a second copy and store it off-site in case you have a house fire. Print it on a piece of paper and store in a safe place along with your birth certificate, vehicle title, and other important papers. In any event, when you enable 2FA of any sort on a Bitwarden account, they give you a "recovery code". Note you obviously can't use Bitwarden to store the TOTP secret for Bitwarden itself! If you go this route, you should consider a very strong 2FA on the Bitwarden account. You need a premium account to enable this. For instance, you might like Aegis (don’t forget to back up the database when you make changes).īitwarden itself can manage your TOTP secrets. There are other TOTP apps as well that do a good job. Authy does rely on your phone number for its own 2FA, so make sure you have good authentication around your mobile carrier account as well. (Yes, about a third of my accounts have TOTP enabled.) And without preparation, you can't recover access to Bitwarden at all you can't get a phone call or answer a security question like the name of your first school to restore access.įor all of your TOTP secrets, stop using Google Authenticator. If my phone crashes, I don't want to have to reset the TOTP secrets for over a hundred logins. If you have a new phone AND the old phone, there is a (recently added!) feature to allow the TOTP secrets to be moved (not copied) to the new phone.Īs conceptually clean as this seems, I think in real life this use pattern is not practical. GA is designed to effectively turn your phone into a hardware security token. (In this latest case they reset their phone, but the same result would occur if the phone crashed or went under the wheels of a truck.) Someone entrusted their TOTP secrets to Google Authenticator and then lost their phone.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |