I've always wondered how people manage this in practice. Is seems great if you never sign up for anything new, but I end up creating one account per week or something. How do you keep the key in your safe deposit box current?
Actually, this is now a solved problem. Root-of-trust pattern.
- Use Bitwarden or similar
- Set BW to recognize the Yubikey as one (of several, incl. TOTP ('Authenticator') code) second factor.
- On all other sites and services, generate passkeys (which are essentially virtual yubikeys) and save them in BW.
- In BW, save the password and TOTP. BW itself, on another device (or in a separate incarnation - e.g. the desktop app when authenticating the browser extension) is now your everyday means of authenticating to BW.
- BW-stored passkey is now your standard means of authentication for e.g. GitHub, Google, etc
- Put the yubikey in a safety deposit box
- Bravo, you have a very professional trust system
Apologies for asking you to repeat yourself. I'm not following this step.
"In BW, save the password and TOTP. BW itself, on another device (or in a separate incarnation - e.g. the desktop app when authenticating the browser extension) is now your everyday means of authenticating to BW."
Can you rephrase it and be specific which passwords and TOTP you mean?
So Bitwarden can store _the password and TOTP for Bitwarden itself_. (!) I actually keep this in an entry entitled 'How meta!' because I'm cute and silly.
So, let's say you're sitting down in front of a fresh install of Bitwarden. You can go to your phone in your pocket and get the password and TOTP and then set Bitwarden to not require a password for 30 days.
Similarly, let's say you've installed the desktop app for Bitwarden but not yet the browser extension. You can look up the BW password and TOTP in the desktop app and use that to authenticate the browser extension. Or vice versa! T
