Password managers and 2fa
Neil wrote about an issue he had with Bitwarden and storing TOTP codes. I thought I'd use it as an opportunity to document my own password manager / 2fa strategy.
Password manager
I use 1Password as my password manager. It's proprietary (boooo!) and expensive compared to Bitwarden or KeePass but I've made peace with both issues. I'm going through a season in my life where I just want my technology to work.
I find 1Password to be full-featured when compared to Bitwarden or KeePass. I like that 1Password supports many entry types. Of course, it can store passwords but also identities, secure notes, credit card details... just everything really and it does it in a nice, intuitive way.
TOTP codes
Even though 1Password supports storing TOTP codes, I choose not to do so. Doing so is missing part of the point of a second factor. I get the convenience vs security argument, and I believe having TOTP codes, even in your password manager, is probably more secure than not. However, it still puts more of your eggs into a single basket.
I use 2FAS on my iPhone to store TOTP codes as a second factor. Is that more secure than storing the TOTP codes in 1Password? I don't know; I'm not a security specialist. Separating those roles (passwords and TOTP codes) into different platforms is more resilient. Plus, in the super duper unlikely event that someone somehow got my 1Password database file/account and then somehow managed to get into it, they wouldn't have my TOTP codes and passwords. That's gotta count for something.
Recovery codes
I used to store my recovery codes in 1Passwords as well, but after reflecting, I felt that really missed the point of recovery codes. One purpose of recovery codes is that I can recover my accounts if I lose access to my passwords. Instead, I go old school here and print them out. I stick them into a manilla folder in my fireproof safe when I think about it.
YubiKey
For critical services, I use YubiKeys as my second factor. I've only used these for about a month at the time of this post, but I've not had any problems. I have a YubiKey 5 nano in my sofa laptop, I have a YubiKey 5 that I keep upstairs, and then I keep another one on a necklace around my neck in case I need it for my phone.
Conclusion
What's your password/2fa strategy?