Scala compiler engineer for embedded HDLs by profession.

I also trickjump in Quake III Arena as a hobby.

  • 0 Posts
  • 1 Comment
Joined 1 year ago
Cake day: June 13th, 2023
  • jard@sopuli.xyztoPrivacy Guides@lemmy.oneBVG out here recommending the best 2FA Apps!English
    3·
    7 months ago

    U2F on Bitwarden, in principle, doesn’t guard against attackers breaching into your accounts, as the Yubikey serves as a second factor during the authentication stage when the Bitwarden app retrieves the encrypted vault. Unless you combine a static secret from the Yubikey into the master password of the vault, an attacker could, in theory, steal your encrypted vault from the central Bit/Vaultwarden server or any device that’s already downloaded it (note that if this device is your phone, all conventional TOTP is thwarted anyways, so in general phones are the most lucrative target here.) From there, the strength of your master password becomes the only thing separating an attacker from access to all of your online accounts.

    I’m not saying that it’s a bad practice and you absolutely shouldn’t do it — I do it myself, as I trust the security of Bitwarden’s servers and my devices in keeping my vault safe. The salient point here is the burden lies on online services upgrading their outdated security options to support U2F, not on us settling with an objectively inferior 2FA option because these services are too lazy and slow.