Passkey vs. 2FA vs. Password manager

[kiddingguy]

Just a question... what's easier in usage for better password management? And nowadays most common, and workable? [also when passwords/keys are not stored ny acciddent and/or forgotten]

Passkeys 2FA (with apps like Google/Microsoft Authenticator) or a Password Manager (e.g. LastPass, Dashlane, KeePass or alike). Or a combination between one of these [or alternatives, such as 2FA with a password manager.

And can this also be configured on OS-level (Windows in this case). I do have a fingerprint reader, and is thi sufficient, or is there third party tooling needed to get it working.

[binaryzero]

You use both.

Password Manager to store credentials, keys.

Authenticator app for MFA whether that's approving logins, OTP, etc.

[inactive]

In short... I use a password manager with just a password (totally offline which is more secure than password managers that store stuff online) and on Google I use YubiKey. I avoid 2FA that uses smart phones since I don't like using smart phones for anything besides looking something up online real quick. but when I am online in general (like doing anything besides looking up something real quick) I am pretty much always on a proper computer (desktop).

 

-For general password management... a typical password manager is all you need (pwsafe.org in my case which I have been using since about the late 2000's as it works on Windows/Linux etc and it's totally offline so you don't put your trust in a company that could get hacked and your password database exposed). note: if you think you may forget your password, I suggest writing it down on a piece of paper and storing it in a secure location. this way even if you forgot, you are covered and the risk of someone getting a hold of it from writing it down somewhere should be minimal if you put it in a location people generally ain't going to have access to it.

-For signing into a limited amount of websites that support it... I use a YubiKey (this is optimal, but since it's not free I can easily understand why many won't use it especially since you need two of them at minimum and I would not be a fan of this method unless you can get them cheap enough, say $40 tops. I got mine at a decent discount a while ago as I think it was somewhere around $30 for two of them. but I think the last I checked, off the top of my head, it's probably more around $50 for two nowadays, possibly less if you can get a discount). I have never been a fan of authenticator programs etc. I avoid smart phones for doing stuff online (especially anything beyond looking up something quick) as a general rule. so anything that requires these, I just outright don't use it.

but personally I think using 2FA on a password manager is more trouble than it's worth. because the way I see it, if your computer became compromised it probably ain't going to be difficult for that shady person to get a hold of your passwords etc at that point. so the key is... make sure your devices stay virus free and you are secure enough with a typical password manager with a password on it.

[kiddingguy]

Thx. So no “real” need for passkey with password manager?

Password manager & 2FA if/when applicable can be sufficient.

Like I said, I have a fingerprint reader to log into Windows (and to use as biometric unlock on Dashlane).
Plus Google/MS Authenticator for certain (gaming) apps.

[MJay]

For most of my 2FA and Password managing, i use 1Password. Simply because i am able to incorporate my 2FA codes as well as my login details all in one app. You do have to pay a subscription for it, but i think its 100% worth it as you can incorporate anything in it. 

I use MS Authenticator for my 365 logins, but the rest i have within 1Password. 

[DramaInc]

I use Bitwarden and always use 2FA when I can.  It copies the 2fa code to the clipboard so you can paste it right in after filling in credentials.  It's the easiest form of 2FA I find.  No need to pick up another device.  

If you are in security like me and hate that habbit (saves me time), 2FA on a secondary device like Raivo on iOS or w/e is on Android.  Technically it's better to do this to prevent things like malware getting both from your BW addin/memory if it gets onto your system.  

Yubikey is also good, highly recommend Yubikey Bio + having a backup stored somewhere offsite.  Recommend keeping an encrypted backup of your passwords as well like having a quick process to export from bitwarden into a keepass vault so that if BW is down you I quickly get up and running with a recent backup.  

[SouthGate]

On 12/06/2023 at 13:59, MJay said:

For most of my 2FA and Password managing, i use 1Password. Simply because i am able to incorporate my 2FA codes as well as my login details all in one app. You do have to pay a subscription for it, but i think its 100% worth it as you can incorporate anything in it. 

I use MS Authenticator for my 365 logins, but the rest i have within 1Password. 

Login details (username/password) and 2FA are seperate by design for security. By tying both together under one service defeats the point, and to me, is insecure.

[+mram Subscriber²]

On 07/07/2023 at 22:08, SouthGate said:

Login details (username/password) and 2FA are seperate by design for security. By tying both together under one service defeats the point, and to me, is insecure.

You're not wrong, but I'll offer a counterpoint--

Think of it like a "good/better/best".  It's good to have 2fa stored in the same password manager than it is to not have 2fa at all.  It's better to have it in a separate product, and best to have that product be biometric and hardware-separate to your electronics (like Yubikey).  Security is always a scale of ease-of-use to risk acceptance, so it's hard to advocate "better" or "best" security when the risk is low, but it's still best practice.

There are contexts where even having 2fa within the same password manager will legitimately help you -- for example when a password is compromised - which does happen all the time - simply having the 2fa in place is a level of protection.  That's what we're really talking about here -- not that 1password is compromised in and of itself, but that your password to Joe's Pizza Shack is compromised because Joe's Pizza Shack has cruddy security.  2FA will prevent the use of your account; it doesn't matter where that 2fa "lives".

So I'd still advocate 2fa within a product like 1password if someone has no 2fa at all.  There's room to grow after that.