[xxpor]

My threat model isn't a directed attack, it's DB dumps with unhashed or unsalted passwords from random websites. I want to use a unique password on every site, and password managers provide a convenient way of doing that.

Even if every BW vault leaked, if it takes half a day to run through 8 a-zA-Z0-9, it's not practical to do that for every vault. On the other hand, if I'm being targeted, even increasing that to a month wouldn't really matter.

Every "critical" site I use also supports u2f 2fa, which I've turned on. So even if they got my passwords, there's the 2nd factor they don't have.

tl;dr: Just use a damn password manager, even one that has arguable issues such as this improves the average person's security by orders of magnitude.

[sneak]

> Every "critical" site I use also supports u2f 2fa, which I've turned on.

What US bank do you use that supports U2F, or do you not include banking in "critical"?

[nijave]

Banks might not support u2f but they pretty universally support some form of 2FA (I think certain things like PCI require it but not sure on exact regs)

It might not be quite as good but email 2FA behind U2F protected email gets you pretty close

[fmajid]

Most support only SMS as security theater, which is worse than useless because it fosters a false sense of security.

[tialaramex]

My good bank (First Direct) gave me a physical OTP code generator, so I need a PIN and the physical device to get codes which are needed to log in. Once upon a time read-only activities like "Check balance" didn't need a code, but they got rid of that functionality because it's presumably a security risk with little benefit.

The same physical device constructs confirmation codes (proving I know the PIN) for specific inputs like if I want to send money somewhere I've never sent it before or a much great amount of money than usual.

However unlike U2F or its modern successor WebAuthn that's still in principle vulnerable to phishing, if thirstdirect.example pretends to be firstdirect.example and I don't notice, the codes I give to the wrong site work on the real one.

[masterofmisc]

I don't know about the US but Barclays in the UK has had multi-factor authentication for years now. Is that not the case in the US?

[fmajid]

If it is TOTP/HOTP based rather than U2F (6-digit codes), it is vulnerable to real-time spoofing.

[btbuilder]

Barclays PinSentry uses CAP:

https://en.wikipedia.org/wiki/Chip_Authentication_Program

[sneak]

U2F is a specific type of 2FA/MFA.

They are not congruent.

[tialaramex]

U2F is (as its full name "Universal Second Factor" would suggest) specifically only a second factor, it doesn't make sense as your first or only factor.

WebAuthn can replace the entire authentication, because it can perform multi-factor authentication locally and then send a claim to have done so, optionally backed by attestation from a vendor saying they promise the multi-factor authentication is done by their product. For example an iPhone can have one press sign-in to web sites or apps using this technology.

[vinay_ys]

What do you use for 2FA tokens?

[xxpor]

YubiKeys (4 I think? It's been a while since I bought them)