the 2FA code for Gmail (your choice of SMS message, Yubi key, secondary email, etc).So to have access to that huge cache of various website 2FA TOTP codes stored in my Bitwarden Vault, they would need 3 pieces of info A hacker in my Gmail still couldn't access my Bitwarden vault (he could in theory get the 2FA code for my vault but not its password) and even if someone caught my Bitwarden password, they couldn't log into my vault without the 2FA code sent to my Gmail. Since my passwords for Bitwarden and for Google are different, and neither is stored in the other, I feel comfortable with that level of 2FA "security". The Google account is the 2FA for the Bitwarden vault. This is why, for my setup, I keep all my 2FA in Bitwarden except my Google account. So presuming I get access to their vault, it's not a big step into their token collection either. I'm sure there are people out there who would use say Google Authenticator to store their 2FA tokens, but then store their Google account credentials in their password manager. I think it really depends on your setup whether this is an issue or not. This isn't much different with using the LastPass Authenticator app. It kind of defeats one of the purposes of 2FA, in that if someone manages to get into your password manager, they can then also get into all your accounts without you needing to authorise the log ins. Thanks for the advice everyone! I’m super glad to be a part of the Bitwarden community now and to be contributing to a service that (hopefully) puts security and its users above profits! It worked out to just £7.50 here in the U.K., so a pretty great deal! I’ve transferred over my TOTPs and I’ve got to say, while there is definitely a theoretical compromise on security, it’s so bloody convenient! Having the 2FA code copied to the clipboard after auto filling the username and password is such a breeze! No need to check an app, just press CMD+V! And I can see that your TOTP secret key is visible from the edit item view, so if I ever did need/want to change authenticator, I could do so pretty easily. UPDATE: I bit the bullet and purchased Premium. It seems super convenient, but also like a pretty major security compromise, since it kind of defeats one of the purposes of 2FA, in that if someone manages to get into your password manager, they can then also get into all your accounts without you needing to authorise the log ins. and as an aside, I’m curious as to the general consensus on using the inbuilt OTP feature. I’d really appreciate some insight from the community :) I’m very interested in the Premium plan, being such tremendous value (especially compared to LastPass Premium, which I’d never pay for in a million years since the LogMeIn price hikes!), but I’m wondering what happens if you were to stop paying for it? In particular, would any OTPs that have already been saved be deleted, or would they stay and you just can’t add any new ones? And likewise, do all attachments get deleted, or are you just barred from adding any new ones? You see, I’m all for supporting the dev, but I’m really uncomfortable with being held hostage by a service, and you never know what might happen in the future with respect to your personal and financial circumstances, so it’s reassuring to know that your data is safe no matter what. Bitwarden came to my attention a while back, and I love that it’s open source and super efficient. For the best experience, we recommend downloading the mobile app."īut then once I am logged in I cannot access my Vault as it thinks I'm on a computer saying "Your active device type is mobile.I’m a long-time LastPass user, but worsening reliability and previously free features being paywalled is driving me away more and more. Before logging in he gets that I am on my phone as a message pops up saying: "It looks like you are visiting this page on a mobile device. I thought maybe it's only possible to do it on a browser, so I tried to log in via my browser. I've been cleaning my vault and emptied some folders, but I can't find how to manage the folders (I would like to delete some & change or rename others) on the app. I changed my device type to mobile (free) as I am currently traveling and don't have a computer with me.
0 Comments
Leave a Reply. |