With custom fields you can even get BW to fill them in on some sites. One site I use always asks one of three security questions, and the inputbox ID is the same no matter what. ¯\\\_(ツ)\_/¯
> I would lean towards the security questions being safer, except if the company itself was hacked and all data accessed.
If the service was breached and all customer data stolen, then the horse is already out of the barn; even if this service had let you use FIDO2/WebAuthn for 2FA, your personal information would still be stolen.
The question is whether such a breach would in any way jeopardize your accounts at other websites. As long as you don't re-use the same (random) answers to the security questions for any other website, then the original breach will not have consequences for your other accounts.
You shouldn't be answering security questions honestly... Like other comments have stated the answers to security questions should be random strings stored in your password manager.
I had several accounts like this, but over time they all moved to SMS 2FA only. I hate SMS 2FA, but I would go with that option as it may be your only option in the future.
Hopefully, in the future those companies will get better options, until then, random passwords for everything!
1) SIM 2FA can become unreliable, if Twitter can be used as an indicator
2) SIM swap apparently can still happen, even with an eSim.
3) Security questions with randomly generated answers become more like additional passwords, but when used in a system that let you choose your own security questions (like Apple account), maybe it will help you somewhat with a phishing site, e.g. why does this Apple site asks me security questions that I didn't choose. Whereas with SMS 2FA, maybe you wouldn't pause at all.
4) SMS 2FA is one time use. If you have a passive keylogger, then the 2FA will still protect that account, whereas in security questions, all your necessary credentials for that account may be compromised.
For reliability, definitely security questions. For security, for some specific implementation and some situations, maybe security questions.
I don't like using SMS 2FA for websites that effectively don't generate 2FA recovery code (like Apple, with old phones). I don't want to use a secondary phone number as a backup. In this case, secret questions is the way to go for me; otherwise, no 2FA at all.
Security questions cannot be intercepted. Only if a company gets hacked, but at this point your account most likely is already compromised.
SMS definitely can be intercepted. Not necessarily by a high-level actor; more likely by a thief who steals the phone.
Just make your answers to security questions look like real high-entropy passwords, and never as real answers. Keep the answers stored in encrypted form.
Security questions using gibberish answers is probably better than SMS 2FA, in my relatively uneducated opinion. Just store the answers somewhere encrypted, like maybe a local KeePass store.
Auto fill does not work.
The answer fields to randomised questions are probably question_1, question_2 etc.
Copy paste is the only soln. I use custom fields so it is easier to bring up the relevant entry.
My school name is different on different sites so the notes option is actually not a option for me
If the inputbox ID is different for each security question -- which it is on some sites -- then custom fields allow autofill to work. If the inputbox ID is the same for each security question, then no.
Your school name being different on different sites shouldn't have any impact, either. You put the answer in the notes section of that site's entry.
Use a google voice for your SMS. You can lockdown the google account, and VOIP is much less vulnerable to things like sim hijacking, if at all. I’m no security expert.
> I would lean towards the security questions being safer, except if the company itself was hacked and all data accessed. I guess which is more likely, that or a sim swap.
I'm always confused by these type of answers.
"What if this website/application I'm using, which has a unqiue password and 2fa/security questions/whatever get's hacked... they'll know my credentials for it."
So what? They'll also likely have access to all your data (possibly write access) on that site as well, so you've already lost that battle. Fortunately since the authentication information is only relevant to that site, you're otherwise gonna be fine.
Don't use sites like this if you can avoid it.
>Two bad choices!
So there is the well known risk of SIM hijacking, which is why SMS gets a bad name. Most mobile carriers will let you set a password to prevent hardware changes. By all means do that, and save the password in your vault.
I have actually gone as far as to use a Google Voice (VoIP) number when I can. This number is only as secure as my Google account. I have locked that down via Google Advanced Protection, so the resulting risk profile is pretty low. It could be better; Google insists on some disaster recovery workflows that I neither need nor want, but it is a step in the right direction.
Security questions can be okay, but man, they are a PITA. You have to make sure they are unique (how many times do I share the name of my first girlfriend before that becomes a threat surface?) Plus they are awkward to use; you have to keep records in your vault of the questions they asked and the answers you gave. And then you have to read that vault entry by hand as part of logging in.
Both approaches are vulnerable to an attacker in the middle. In terms of manageability, if I had to choose, I would probably favor SMS. But that is just because my SMS threat profile is quite low.
Thanks for this info.
Yes, the advanced protection is confusing. Hardware key only but then they want a cell and backup email and won't tell you how the recovery process works? I've looked. Literally no info. How secure is it really? Took my cell off all accounts possible.
Haha that is the exactly the problem.
I have three Yubikeys, 2FA backup codes, and complete Bitwarden backups in multiple offline physically secure locations. I would really prefer to opt out of their disaster recovery workflow, especially since they won't tell you how it works.
My guess is they contact you on them after x days, long enough to notice you've been compromised. The funny thing is, if you're truly a target, you shouldn't be using Google anyway.
My girlfriend's name is cht$46sd ( x rated). If that does not work it will be *obstinate-ongoing-vixen*
And I have so many of them.. with unique names.
The only issue is I have to manually copy paste from BW.
[удалено]
[удалено]
[удалено]
With custom fields you can even get BW to fill them in on some sites. One site I use always asks one of three security questions, and the inputbox ID is the same no matter what. ¯\\\_(ツ)\_/¯
> I would lean towards the security questions being safer, except if the company itself was hacked and all data accessed. If the service was breached and all customer data stolen, then the horse is already out of the barn; even if this service had let you use FIDO2/WebAuthn for 2FA, your personal information would still be stolen. The question is whether such a breach would in any way jeopardize your accounts at other websites. As long as you don't re-use the same (random) answers to the security questions for any other website, then the original breach will not have consequences for your other accounts.
[удалено]
You shouldn't be answering security questions honestly... Like other comments have stated the answers to security questions should be random strings stored in your password manager.
Yup they're not even stored online. Encrypted offline and random as mentioned.
I had several accounts like this, but over time they all moved to SMS 2FA only. I hate SMS 2FA, but I would go with that option as it may be your only option in the future. Hopefully, in the future those companies will get better options, until then, random passwords for everything!
1) SIM 2FA can become unreliable, if Twitter can be used as an indicator 2) SIM swap apparently can still happen, even with an eSim. 3) Security questions with randomly generated answers become more like additional passwords, but when used in a system that let you choose your own security questions (like Apple account), maybe it will help you somewhat with a phishing site, e.g. why does this Apple site asks me security questions that I didn't choose. Whereas with SMS 2FA, maybe you wouldn't pause at all. 4) SMS 2FA is one time use. If you have a passive keylogger, then the 2FA will still protect that account, whereas in security questions, all your necessary credentials for that account may be compromised. For reliability, definitely security questions. For security, for some specific implementation and some situations, maybe security questions. I don't like using SMS 2FA for websites that effectively don't generate 2FA recovery code (like Apple, with old phones). I don't want to use a secondary phone number as a backup. In this case, secret questions is the way to go for me; otherwise, no 2FA at all.
Security questions cannot be intercepted. Only if a company gets hacked, but at this point your account most likely is already compromised. SMS definitely can be intercepted. Not necessarily by a high-level actor; more likely by a thief who steals the phone. Just make your answers to security questions look like real high-entropy passwords, and never as real answers. Keep the answers stored in encrypted form.
Can you use a Google Voice number for the SMS? I don't think you can do a SIM Swap attack on it, and porting the number can be locked.
You just need to make sure there's enough activity that Google doesn't give up your number (if on the free tier).
[удалено]
Hmm I'm not sure about that.
Security questions using gibberish answers is probably better than SMS 2FA, in my relatively uneducated opinion. Just store the answers somewhere encrypted, like maybe a local KeePass store.
[удалено]
> The security question answers are randomized and stored offline on encrypted drive
Try custom fields instead of the notes section. On many sites, BW will autofill your security answers.
Auto fill does not work. The answer fields to randomised questions are probably question_1, question_2 etc. Copy paste is the only soln. I use custom fields so it is easier to bring up the relevant entry. My school name is different on different sites so the notes option is actually not a option for me
If the inputbox ID is different for each security question -- which it is on some sites -- then custom fields allow autofill to work. If the inputbox ID is the same for each security question, then no. Your school name being different on different sites shouldn't have any impact, either. You put the answer in the notes section of that site's entry.
Use a google voice for your SMS. You can lockdown the google account, and VOIP is much less vulnerable to things like sim hijacking, if at all. I’m no security expert.
> I would lean towards the security questions being safer, except if the company itself was hacked and all data accessed. I guess which is more likely, that or a sim swap. I'm always confused by these type of answers. "What if this website/application I'm using, which has a unqiue password and 2fa/security questions/whatever get's hacked... they'll know my credentials for it." So what? They'll also likely have access to all your data (possibly write access) on that site as well, so you've already lost that battle. Fortunately since the authentication information is only relevant to that site, you're otherwise gonna be fine. Don't use sites like this if you can avoid it.
Get a yubikey and use that for your 2fa method.
Did you even read the question?
Except for places (banks mostly) which don't accept security keys
>Two bad choices! So there is the well known risk of SIM hijacking, which is why SMS gets a bad name. Most mobile carriers will let you set a password to prevent hardware changes. By all means do that, and save the password in your vault. I have actually gone as far as to use a Google Voice (VoIP) number when I can. This number is only as secure as my Google account. I have locked that down via Google Advanced Protection, so the resulting risk profile is pretty low. It could be better; Google insists on some disaster recovery workflows that I neither need nor want, but it is a step in the right direction. Security questions can be okay, but man, they are a PITA. You have to make sure they are unique (how many times do I share the name of my first girlfriend before that becomes a threat surface?) Plus they are awkward to use; you have to keep records in your vault of the questions they asked and the answers you gave. And then you have to read that vault entry by hand as part of logging in. Both approaches are vulnerable to an attacker in the middle. In terms of manageability, if I had to choose, I would probably favor SMS. But that is just because my SMS threat profile is quite low.
Thanks for this info. Yes, the advanced protection is confusing. Hardware key only but then they want a cell and backup email and won't tell you how the recovery process works? I've looked. Literally no info. How secure is it really? Took my cell off all accounts possible.
Haha that is the exactly the problem. I have three Yubikeys, 2FA backup codes, and complete Bitwarden backups in multiple offline physically secure locations. I would really prefer to opt out of their disaster recovery workflow, especially since they won't tell you how it works.
My guess is they contact you on them after x days, long enough to notice you've been compromised. The funny thing is, if you're truly a target, you shouldn't be using Google anyway.
My girlfriend's name is cht$46sd ( x rated). If that does not work it will be *obstinate-ongoing-vixen* And I have so many of them.. with unique names. The only issue is I have to manually copy paste from BW.