- a Yubikey
- a sparingly used email account with no 2FA, just a very long password
2FA through the sort-of-secret email account lets me get back into Bitwarden (and thus everything else) even if my house burns down and I lose access to all of my yubikeys. And auth on a device that doesn't easily support yubikeys, like older iPhones.
2FA is very useful, but highly overrated. If you have a sufficiently long and complex memorized password (and the email platform actually lets you create one that's properly long, 40+ characters), it's unlikely that you'll have any problems unless you accidentally share the password somewhere.
Of course I feel like all my my precautions are moot when my bank and CC company force SMS 2FA. But I haven't found any with superior security schemes anwyway.
Sorry, but my Article and Walmart.com accounts do not need 2FA. I'm fine with OTP, but most places use SMS 2FA, which exposes a unique identifier for myself and -- due to SIM swapping, which is a risk on literally every major carrier due to horrible customer service operations -- often makes it easier for a malicious actor to hijack my account.
You're generally correct, though: GOOD 2FA is not overrated and I would welcome it on any account. But it's obnoxious that almost every account I have uses SMS as a singular point of failure. I'd welcome a move back to email 2FA with a backup email for account recovery.
Small side tangent - I’m on Mint Mobile and enabled 2FA for my account there, which is required for all customer calls. This would stop SIM swapping attacks which are the main failure point for SMS 2FA, right?
- a Yubikey - a sparingly used email account with no 2FA, just a very long password
2FA through the sort-of-secret email account lets me get back into Bitwarden (and thus everything else) even if my house burns down and I lose access to all of my yubikeys. And auth on a device that doesn't easily support yubikeys, like older iPhones.
2FA is very useful, but highly overrated. If you have a sufficiently long and complex memorized password (and the email platform actually lets you create one that's properly long, 40+ characters), it's unlikely that you'll have any problems unless you accidentally share the password somewhere.
Of course I feel like all my my precautions are moot when my bank and CC company force SMS 2FA. But I haven't found any with superior security schemes anwyway.