Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I’ve created two TOTP 2FA on two different YubiKeys. During the TOPT configuration process, the website gives me a password that I enter on the YubiKey configuration app.

Then, I do not store that password. But if I stored it on Bitwarden, I could easily create a YubiKey backup or set it on another app like ente.

I have not kept that password because I considered that it could be easily compromise my security. I have kept the backup codes nonetheless.

Should I keep the TOTP configuration password that the website gives me when I tell it that I cannot scan the QR code?



> But if I stored it on Bitwarden, I could easily create a YubiKey backup or set it on another app like ente.

If you do that, you could just use Bitwarden’s TOTP functionality directly.

I don’t do that myself for important accounts as it effectively collapses 2FA into a single factor, but it’s an individual security/convenience tradeoff in the end.


I’d rather keep passwords, TOTP and backup keys in different services because I never saw the point of keeping them together with the passwords as you explain.

With the YubiKey, TOTP has become more convenient and more secure than it used to be with Authy and then Ente. But maybe I should consider integrating them for most accounts


That's reasonable, but then you can't store the TOTP setup code in your regular password manager (and vice versa, if you do, that's not different from just using the PW manager's native TOTP calculation feature).

The advantage of using the Yubikey for TOTP is that (I believe) there's no way to extract the setup secret from it, so even if somebody gains temporary access to it, they can't exfiltrate your future OTPs and would have to attempt a log-in right there and then. Storing the secret in a recoverable way negates that property.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: