Our local bank doesn’t have MFA for browser account access however they do provide face recognition on their mobile app. Claiming to have new online software coming this month so maybe finally get up to speed.
Thank you for mentioning the Yubikey limitations. Don’t recall anyone else bringing this to light.
I don’t think you’re both talking about the same thing. I believe what he was saying is that you can’t use MFA for the password manager itself. Which is the same thing I discussed before. MFA only works, for any password, if there is a site or server that is not the same one as the password is being input on. If it’s all done on the same device, an attacker can basically ignore the MFA.
What you’re discussing is using the password out of the password manager and then using MFA as well. There are certainly password managers that can roll them all into one, but I think what you’re suggesting is this is a bad idea, and I think I agree. This is a different topic that the safety of the password manager and whether you would use MFA to control access to it.
I’m confused here. What exactly do you mean by this. Are you saying NOT TO use MFA on your password manager because it has no value? It has value if someone has your password and tries to login to the website of your password manager.
I understand that MFA does not in any way protect the database. If someone gets that binary blob, all they need to do is phish your password out of you, and they’re in.
The Yubikey was designed at a time where MFA was not as popular. Now that there are plugins for most major web forum software and for CMS software like Drupal and Wordpress, adding TOTP support is as easy as dropping in a plugin and hitting apply.
That’s what got me to 52 different TOTP codes. And sites that support U2F with a Yubikey will almost always NOT allow you to turn off TOTP, so you still need it.
Correct, to the site you are authenticating against, you have MFA, but, because they are both on the one device, if that device is stolen and cracked open (the thief can access your safe and authenticator, because they are not locked, when it is stolen, or they use one of the many bypasses for biometric protections) or hacked remotely, they have both your passwords and your MFA codes.
That is what I mean by not having MFA, if both are on the same device. If you have a physical token as the MFA, they need to steal both the device and the token to get access to your accounts - of course, through the apps on the device, they have access to most of your accounts anyway, as they are usually permanently logged in.
My bank (Kreissparkasse) uses a token generator, I have to stick my card into the device and then it reads a code off the screen, which includes the recipient’s account number and the amount of the transaction and it generates a code for that one transaction that is unique - I also have to confirm the account number & value on the device, before it generates the code, so no man in the middle attack would work.
Our joint account (Deutsche Bank) uses an advanced QR Code (multi colour and much larger than a normal QR Code) to log in and to authenticate transactions, this is either a separate reader device, like my account, or an app on the smartphone.
Only partially, there have been various exploits of facial and fingerprint recognition over the years, or if they manage to steal the device in the window, where you have unlocked the apps and they haven’t relocked - there is usually a small window, for convenience, where they remain unlocked, so you don’t have to constantly re-open them, if you are swapping back and forth.
With some of the authenticator apps, which require FaceID or fingerprints, that is a half-way mitigation, but still not 100%. For normal use (device is clean and in your possesion), it is safe and you have MFA. If the device is hacked or stolen, you basically have to consider the MFA bypassed and get the authentication tokens re-issued immediately, the same with changing all your passwords.
It comes back to the same old convenience versus security, you trade off some extra security for the convenience - not having to fish a second device out of your pocket to hold against your phone / plug into your computer to get the MFA token. As long as the device is in your possession and not hacked, it is fine. For the case the phone is hacked or stolen, they theoretically have your passwords and your tokens, so you have to assume both are lost and react immediately to reset both passwords and tokens.
I used the phrase to make people think, but it is just a “worst case” situation.
Actually, I was saying that if you have both on the same device, it negates the MFA, in the event the device is stolen or compromised. I do use MFA for my password safe - I use a Yubikey.
Accessing the safe from the providers website is protected by MFA, once you have access to the encrypted blob and can copy it, you no longer need the MFA.
i.e. if you are trying to brute force your way into the someone’s cloud account, you need their MFA. If you have hacked the cloud of the password safe provider (a la LastPass), you already have the blob, so you don’t need to have the MFA token, you can just brute force for the master password on the blob in your possession.
If only the major sites would adopt it / there was an iOS app for it in the app store. Even now it isn’t there as far as I can tell
Update, May 21, 2024: The YubiKey blog announced an upgrade to firmware version 5.7 for newly purchased YubiKeys. [Firmware cannot be field-updated on YubiKey models.]
The firmware upgrade increases storage capacity from 25 to 100 passkeys and from 32 to 64 TOTP seed codes. It applies to the YubiKey 5 ($50) and the Security Key ($25) models.
Other enhancements include support for larger RSA keys (RSA-3072 and RSA-4096), Ed25519, and X25519 key types to comply with DoD memo requirements.for stronger public key algorithms.
Note: A competitor, Token2, based in Switzerland, offers their latest hardware security key, T2F2-PIN+ Release2, with storage capacity of 300 passkeys, and 50 TOTP seed codes, price 23 Euros, plus shipping from Switzerland.
Interesting, on my old Yubikeys, I’d often have to install firmware updates to enable new features, I didn’t realise they had stopped doing that (I haven’t needed to add new features since around 2018).
I might give Token2 a try, I’ve been using Yubikey since around 2012 and my first Yubikey is still working - it is now a backup key, I have a pair of 5s as well. I handed them out as presents to my family one Christmas.
Hmmm I don’t think you would have been upgrading the keys themselves. As far back as version 1.0.9 of the firmware they had locked out changes. I know this because I sent some back for replacement back in like 2015. SecurityAdvisory 2015-04-14
Perhaps you are referring to the companion Yubico Authenticator app. It was updated to version 7.0.0 on May 6, 2024.
I have a YubiKey 5. I am only using 3 passkeys so far. If I get close to the 25 passkey limit, then I will consider buying a new YubiKey with support for 100 passkeys, or buy a Token2 security key with support for 300 passkeys.
Unfortunately, many financial services businesses still do not support passkeys, YubiKey, or TOTP 2FA, only weaker 2FA methods by email or phone.
The $50 YubiKey 5 has more features and modes than I need or use. I could downgrade to the cheaper $25 Security Key and just have the needed passkey and TOTP 2FA support.
No, back in the day, I needed to activate MiFare or something on the key and it involved unlocking the firmware, applying some code and locking it again.
I ordered the Token2 - I’ll let you know how it works, but I think the best place to store Passkeys is in your password manager. As far as I know BitWarden and 1Password support unlimited passkeys, right?
I like this idea - how are you handling the synchronization between platforms? Are you doing a manual export/import on a regular basis?
At my company we use 1Password. The most interesting feature for us is that we can have vaults per project, and allow access to project members quite dynamically. This was a pain with KeePass which we used before that.
Compared with BitWarden, which I use at home, for FOSS reasons, it feels a bit more streamlined and simple to use.
I am still umming and ahhing between BitWarden and 1Password for work, I like both, I like the open model of BitWarden, but have to take into account the simplicity and ease of use angles, as many of our users are non-technical.
(Our biggest problem is MFA at the moment, very few have a company phone, for example, where we can install Microsoft Authenticator, remotely, but most employees do not want any “work” apps “contaminating” their private devices. We have the OK to let them use an authenticator or password manager on those personal devices, but we cannot force them to.)
An interesting thing has happened. Kolide - a long time sponsor - was aquired by 1Password which folded it into their password manager for enterprise. Which means that we now have both Bitwarden and 1Password as sponsors.
Honestly, I’ve always thought both were excellent and have consistently mentioned 1Password as an alternative to LastPass, so I’m comfortable with it (in fact, I’ve had a 1Password account for more than a decade). I still use BitWarden as my daily driver, though.
(Although I’m increasingly using Apple’s Keychain on iOS. It’s just so darn convenient.)
You can run 1Password on your desktop computer, and add One-Time Passwords to your logins. That enables you to get your MFA token without a smart phone. Downside, is that now your password and MFA token are in the same system, potentially making you vulnerable if 1Password is breached.
Yes, I use 1Password for some of the less critical OTPs, critical ones use either MS Authenticator or Google Authenticator or my Yubikeys.
The problem is getting people to use any sort of tool, whether it be on the desktop or on the phone… Monkey123 is easier than using a password manager…
I spent a lot of time training my non-techie wife to use Bitwarden. But even with my training, using Bitwarden to create a new password was a bit of work. 1Password made creating new passwords dead simple. The browser plugin does it for you.
It’s been close to a year since I used Bitwarden, so I don’t know if the Bitwarden browser plugin has gotten better. My account doesn’t expire till November 1st, so I should login and check it out.
The one thing both fail at is backups. When you share a password, it moves it out of your vault and into a shared vault. When you go into the password manager and want to export your passwords to back them up, you need to export each vault individually. I have 1 wife and 2 kids. So, my vaults are:
To do a backup, I need to export all my vaults individually. I wish there was an option to export all my vaults together in one file. Then I could import them in KeepassXC as a backup.
I’s also quite convenient to use Bitwarden or 1Password to share 2FA codes with family members. Especially for sites that support 2FA, but won’t let you have more than one account, like my car loan.