736
Authy got hacked, and 33 million user phone numbers were stolen
(appleinsider.com)
This is a most excellent place for technology news and articles.
These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.
Doesn't synced solutions completely defeat the purpose of MFA?
Not if you protect the master key with MFA, like a yubikey. Then it's cryptographically secure for quite a while..at least until quantum computing is affordable enough to be used against your data. Or the database and your yubikey and yourbpassphrase are compromised
You've got a good point. I wonder if this an example of a trade-off between convenience and security. If you're logging in and you get an MFA prompt, a Yubikey has to be physically searched, while Bitwarden or Proton Pass only have to be clicked. A Yubikey can only hold a limited amount of accounts, while Bitwarden or Proton Pass could hold many more. Of course, a Yubikey could be used as MFA for Bitwarden or Proton Pass, but that would create a single point of failure and reduce factor separation (which I think is your original point).
While I posted a Bitwarden or Proton Pass recommendation of sorts, I genuinely wonder if it's advisable to not use MFA at all if the factors will not be separated. Or, perhaps, the best security solution is the one you'll actually use. I guess the answer is the good ol' "What's your security model?"
Your first and last statements are correct. Using your password manager as your MFA is a trade off with security and convenience, but that added convenience helps make it more usable so you actually use it. Anything is a trade up for most peoples' awful password hygiene, so the trade off is worth it in my opinion.
Regarding the advisability of combining password and MFA into one platform: while you are lowering the overall security of your accounts, if you secure the main account with a long/strong password and a hardware security key, I would say that's still more secure than not having 2FA enabled or not using secure passwords.