I’ve been thinking about getting a couple of Yubikeys for a partner and myself, but we share certain accounts. While I would love to have the Yubikey 5 that can store TOTP, that seems like it could be problematic for shared accounts.

Would using the cheaper Yubico Security Keys to unlock Bitwarden Premium vaults, that use a Shared Organization, be a better/more sane option than trying to sync up TOTP secrets every time a new shared account gets added? Any other critiques or suggestions?

  • Telorand@reddthat.comOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    So let’s say I’m at work, I set up NewAccount to use Yubikey A. Partner has Yubikey B and isn’t nearby. How would I share or retrieve that secret key later? My understanding is that’s not possible if it’s stored on the key, but maybe I’m wrong.

    • girsaysdoom@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      If you’re just storing the password on the key then, no you can’t get it unless you have the key. The main usage (arguably) for a yubikey is the FIDO2 auth method where you add those keys as MFA methods. That would allow access using either key.

      • Telorand@reddthat.comOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        Thanks, that’s kind of what I was thinking.

        Sounds like a YK5 might still be a viable use case, but I’d have to do a deeper analysis of what account 2FA secrets would need to be shared versus which can be relegated onto individual keys and safely lose that “always accessible anywhere” trait.

      • MostlyBlindGamerA
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        I think of that like putting multiple things in the same basket, but putting two locks on that basket.

    • MostlyBlindGamerA
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      I’m not evaluating whether or not you should do that, but, assuming you trust your partner and their op sec, you could send them the secret via a disappearing message on Signal or some other E2E encrypted communication method.

      You set it up on your key, they add it to theirs later, the secret disappears into the ether.

      • Telorand@reddthat.comOP
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        Something to consider, certainly. Might be more complexity than my partner is willing to handle, but I’ll have to have that conversation with them.