Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do you manage personal 2FA and password security?
4 points by loufe 49 days ago | hide | past | favorite | 4 comments
I use Bitwarden with Aegis for my OTP codes (as often as SMS 2FA is avoidable) but have always felt completely secure that if I lost my electronics, I'd keep access to my information. Bitwarden had no 2FA, just a high quality password, so that could be relied on so long as I didn't take unnecessary risks on any device on which I access Bitwarden.

However, Bitwarden just warned me they'll soon require 2FA and it got me wondering about a circular 2FA issue (since they suggested using email 2FA, which requires 2FA itself).

Should I store a USB key with my 2FA code strings from Aegis somewhere at my parents? Should I invest in 2 cloned physical (programmable) 2FA keys for accessing my master vault? Should I opt for FIDO2 keys?

What do you do?




What happens if hackers destroy Bitwarden's site and backups and cause its client to delete your local synced copies? :P

> Should I store a USB key with my 2FA code strings from Aegis somewhere at my parents?

Using my parents as a sample, they have a fire-safe, and most of those work by keeping the temperature from getting too hot for paper to ignite, which is hotter than what will ruin a USB stick. (In fact, a melting/flaming USB stick inside might ruin all the papers near it too.)

So I'd consider printing it out on paper (large font, multiple times repeats?) and storing that paper instead. You could even lightly-encrypt it with some "I can decrypt this in a line of Python" method, if you're feeling extra-paranoid.


Absolutely a fair counterpoint. I currently back up my Aegis 2FA codes and I guess I could do the same with bitwarden.

Out of curiosity, do you actually store a paper copy in their safe?


Not of 2FA stuff, no. Currently I have only one (non-work) computer, so I don't have the same synchronization use-cases.

I use KeepassXC (not a remote service, so no 2FA) which is also wrapped inside an passphrase+AES encrypted .7z file, since I want to bundle it with other stuff like tax records.

In terms of backups:

1. Along with most of the rest of the disk, the .7z is backed up to a remote service, and I ought to have memorized the credentials for that buuuut I think I've forgotten.

2. I periodically make a copy of the encrypted stuff onto a rugged USB stick on my ever-present physical keychain. The USB stick also contains portable copies of the software needed for opening it. (Yes, there's an evil-maid-attack there if someone replaces those binaries.)

I figure this protects me from "apartment burns down" provided I can find a trustworthy computer to use. I might also be able to open it on my phone if I can find trustworthy apps.


KeepassXC, which does not require 2FA. Where possible, SSH keys.

The fundamental problem is that the Internet is not a "high trust" society, so security is onerous. There is no great solution. Sadly, passkeys are not an improvement.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: