This is also a very good article, however it's enterprise focused. I think I simply prefer bitwarden's ui/ux, but there's nothing wrong with LastPass at all IMHO. Having multiple URLs for an item is a pain, in the Enterprise version you need to add "domain aliases" or something users cant do it from the item itself. In LastPass, you have a dropdown for each password where you select the credential you want. At least the administrative sections are being updated one by one so I guess it will reach the vault anytime soon. The current UI looks quite old, however they're updating it. Something else that's quite handy is adding multiple URLs to an item. When you click on a credential, it will auto fill it for you and add the 2fa code to the clipboard for you to paste into the field later on. Personally I like the user experience the most, since to me is more handy and understandable.īitwarden also supports 2FA through TOTP. I have experience with both: Bitwarden Premium and LastPass Enterpriseīitwarden is completely open source. It’s better to use physical hardware for a second factor (Yubikey, etc.) or a token generator like Authy (free backups, and a good security model) or Google Authenticator So if someone is capable of getting into your cell provider account, they are capable of defeating all MFA linked with that number. Some providers have systems in place to text your phone before allowing a password reset or login, but they also have ways to get around that in the event you lose your phone. What protects your account for your cellphone provider and as such prevents a new sim from being sent? A password. This is one of the key ways attackers regularly steal twitter accounts or defeated 2FA in the Fappening.Īs such this isn’t true 2 Factor Authentication (something you know and something you physically have) and rather referred to as Multi Factor Authentication (2 proofs before access).Įxample: an attacker must know your password and the token sent through text. Many attacks occurred in the wild where attackers would social engineer a new SIM card from your phone service provider, then be capable of receiving your 2FA texts. Luckily he still had his brother's PC where he logged in earlier so it let him login and change 2FA. When he returned and tried ro log in, it asked for 2FA and his old phone number was already deactivated and allocated to someone else due to no usage for prolonged period. He moved to a different country for onsite job for 2 years. True Story: My friend had his phone number set as Google 2FA. Also it is a bad practice to store TOTP in the Password Manager app itself like Bitwarden that defeats the purpose of 2FA meaning if you password manager is compromised your 2FA will too. Otherwise you can always manually export and and store in your hard drive. Authy stores it in their server so it is easier to retrieve it in a new device. It is always preferred to use any Authenticator App (Authy/Aegis/AndOTP/Google Authenticator/Microsoft Authenticator) which has backup/export option for your TOTP. Also you could permanently lose your phone number. If you lose your phone you wont be able to login unless you swap the SIM for a new one. * No discussions of specific VPNs – please visit r/VPN or our PrivacyGuides coverage of VPNs.
0 Comments
Leave a Reply. |