Over the past few weeks, I have spent a lot of time thinking about how to structure my security plan based on a password manager, just two/three strong master passwords and the use of physical U2F keys such as YubiKey. Without going into too much detail, a part of my plan would necessarily include the following:
I have a password manager that stores passwords to all my online accounts (apart from the main email used for registering such accounts). For reasons connected to other parts of my plan:
- these individual accounts if possible will be secured by the traditional 2FA only, where a 30-second code is generated using a phone app.
- the manager itself will be secured with a physical U2F key only.
The reasoning behind this was as follows. Consider these two unlikely scenarios:
- My master password to the manager and my phone with the 2FA app get stolen. Because the manager can be accessed with the U2F key only, I’m safe.
- My master password and the U2F key get stolen. The attacker is able to log into the manager, but because the accounts whose passwords it stores require the 2FA code, I’m safe since the attacker doesn’t have my phone. (They’ll only be able to access the websites that don’t have the 2FA option, but we disregard these as unimportant here).
However, reading Dashlane and 1Password technical support pages, the way I understand them is that to add a key to my manager, I also need to first enable to code-based 2FA (perhaps that’s not the case, but the information was not clearly conveyed). Keeper seems to support U2F without enforcing such 2FA. LastPass does not seem to support U2F in the first place, only OTP.
The reason why I’m worried about this is:
- My master password and phone with the 2FA app get stolen. If both 2FA codes and U2F are enabled for the manager, the attacker is now able to get into it (contrary to case 1). Moreover, since the accounts inside it use 2FA, they can also access these accounts (contrary to case 2). Security compromised!
It is therefore crucial to me to use only one type of second-step authentication for my manager. As a related example, despite Google allowing many methods, if you enroll in their Advanced Protection Programme, all other methods apart from the U2F keys are invalidated. I would like the same from my manager. Is this possible in Dashlane or 1Password?
P.S. I am aware of the risks of using only the U2F keys for my manager. However, some managers, e.g. Dashlane, offer one-time recovery codes than could be stored securely somewhere else. One could also take a note of the (usually 32-digit) code associated with the QR picture for enabling the usual 2FA, without actually enabling it at that point.