Ask HN: Best password manager, 2FA, and recovery code strategy?

[gtbcb]

I like the idea of using a normal-ish, commercial password manager; however, I don't like the idea of also having 2FA and recovery codes in that same password manager in case another LastPass situation happens.

What would you all recommend? 2 or 3 different password managers (or perhaps 2 or 3 different accounts with the same password manager?), one for passwords, and one for 2FA and potentially another one for recovery codes? Any best practice resources / websites?

I feel like I've read on HN people doing some really complicated stuff, and I'm not super interested in that. I want something that balances convenience with security and not having all my eggs in one basket. Convenience includes being able to relatively easily access the separate 2FA codes as some sites now require them all the time.

One situation I'm concerned with is someone stealing my phone at gunpoint and demanding the passcode and / or my password manager password. That would basically give them keys to the castle.

Additionally, if someone was mildly sophisticated, they could kidnap you, demand relevant passwords, but also make you go through your email searching for the various banks, and then forcing you to login to those and drain the accounts.

Lastly, would you all support adding a PIN code to your phone to prevent stealing of your eSIM?

[akerl_]

Targeted kidnapping and coercion to extract passwords is not part of the threat model for the overwhelming majority of people.

Likewise for being forced to unlock your phone at gunpoint to get at your accounts. People who are committing individual armed robbery to get valuables are doing it for the raw goods, not as an input to get into your accounts. They’re gonna take the phone, try to flip it, then burn up some charges on your credit cards before the bank cancels them.

I have passwords in 1password. MFA for sites I don’t really care about goes in 1password, as do recovery codes for those accounts. Any accounts that matter, MFA is on my phone and yubikey. Recovery codes are on index cards in a physical safe.

[gtbcb]

Thanks. For accounts that matter, what do you mean when you say MFA is "on my phone and yubikey"?

Which accounts do you consider important? Email, apple / google, banks, cell phone carrier, what else?

[akerl_]

For me, "important" basically means "if somebody somehow stole my 1Password vault and had access its contents, it would be logistically problematic for me that they'd have the MFA for this account". So email, banks, cell phone / DNS hosting / etc, but also things like my MFA for Slack, PyPI, Steam, etc.

Things that aren't important are accounts like my rewards account w/ airlines, various forums / etc where there's MFA but it's less valuable than the password vault itself.

For MFA enrollment, my basic approach is:

1. If the site supports FIDO2/U2F, I enroll a yubikey in that.

2. If it supports multiple FIDO2/U2F devices, I enroll 2 other yubikeys (My primary yubikey is USB-C, then I've got a USB-A and a backup USB-A)

3. If the site supports TOTP, I generate a TOTP key and enroll my phone's TOTP app

4. For sites I'm likely to need to log into a lot, but that don't support multiple FIDO2 devices, I also enroll my Yubikey as a TOTP device ( https://www.yubico.com/products/yubico-authenticator/ for reference). I don't do this for every site because the Yubikey has a finite number of slots for TOTP secrets.