How I secure website logins

Oh, hey, I have a blog. How’s everyone been over the past, uh, decade?

Anyway, I wanted to write about securing website logins. This is something I’m not really an expert in, though I do have some facility with computer security in general. But I’ve been doing a lot of thinking and research lately, and I think this is something I can communicate to a slightly less technical audience. So let’s give it a shot.

Oh, you should know that I’m pretty into lists lately. Anyway.

First, here are some definitions:

  1. A password manager is a tool that stores your passwords and generates good, long, random ones for you. Password reuse from site to site is the biggest risk for being hacked these days, so a password manager is vital.
  2. It’s important to identify your critical accounts. These are the ones that would really screw you over if they were hacked. Top of the list must be Google/Apple IDs, your password manager, and your email. Banking websites would also qualify, except the banking industry is frustratingly behind the times with all of this stuff, so it generally doesn’t matter if you consider them a critical account or not.
  3. A hardware security key is a small USB device, similar in appearance to but usually smaller than a USB “thumb drive”, which gives you a bunch of additional security options. Yubikeys are probably the most common, so if you haven’t heard of them, you probably haven’t heard of hardware keys in general. One neat thing about them is that it’s impossible to copy security credentials off of them. They can’t be cloned, synced, or backed up.
  4. A second factor for logging in somewhere, which leads to 2-factor authentication or 2-step verification, is something you enter to a website when logging in that’s in addition to your username and password. The reason it adds to the security is that it usually either requires an additional account or device to access, or it requires biometric input such as a fingerprint or face identification. One particular kind of 2nd factor that I don’t like is SMS verification, because it has several decent-sized security flaws. Email verification is better but still not ideal.
  5. TOTP is the most common form of 2nd factor that I like. This is the thing where you scan a QR code when you set up 2FA, and then the app on your phone generates a new 6-digit code every 30 seconds until the end of time. You’ve almost certainly seen it. TOTP is pretty good.
  6. FIDO2 U2F is a newer form of 2FA. Instead of a 6-digit code, you plug in your security key (or connect it wirelessly) and tap a button on it. It’s also neat because security keys can “store” a literally unlimited number of them! (FIDO2 U2F is technically an obsolete name, but I think it’s useful so I still use it.) This option is starting to be phased out, though, in favor of:
  7. Passkeys! The hot new technology. (They’re also known as FIDO2 or WebAuthn credentials.) These are things that enable passwordless logins to websites! They’re not physical things, any more than a TOTP setup is a physical thing. They’re secure because you need to verify yourself with the thing that stores them (enter a PIN to unlock your Yubikey, or use FaceID to unlock your phone’s passkey storage, or whatever.) In a sense, they obsolete the traditional idea of 2-factor verification, because the 2 factors now are (1) having the device on which the passkey is stored, and (2) having the ability to unlock that device. They come in two different flavors:
    1. Non-resident/non-discoverable credentials enable passwordless logins, and a hardware key can “store” an unlimited number of them. In practice, this isn’t really used to replace passwords, and instead is used more often as a 2nd factor, which makes it identical to FIDO2 U2F. They’re not actually different things. Some people would say that these aren’t even really passkeys, and the only things that can be called passkeys are:
    2. Resident/discoverable credentials enable usernameless and passwordless logins! They do, however, take up a storage “slot” in a hardware key. In practice, sites are not using them to replace usernames very much just yet, at least in my experience, but they’re definitely starting to be used as a passwordless option.
  8. Passkeys can also be stored in one of two ways:
    1. Hardware-bound passkeys, stored on a hardware key, can never leave that key. When you switch hardware keys, you go back on the website and set up an additional passkey.
    2. Copyable/software-based passkeys are ones you store on your phone, or in a password manager. They can be synced through the cloud and made available on other computers or on your next phone.

Got it? Cool. OK, so here’s what I currently do, in a world where passkeys are just starting to become a thing:

  1. I have two Yubikeys. Two because one of them is a backup that doesn’t leave my house. Yubikeys can do passkeys, FIDO2 U2F, and TOTP. I like doing TOTP on my Yubikey because that way I don’t have to worry about syncing it to a new phone. And when I’m at a computer for hours at a time such as at work, I leave my Yubikey plugged in all day (I work from home, so bathroom breaks aren’t a security risk) and then I can access TOTP on my computer without pulling out my phone.
  2. I have Bitwarden as my password manager. Bitwarden is really great. I log into it with my username, a memorized password (one of the few passwords I have to memorize!), and FIDO2 U2F. I recommend Bitwarden to everyone, and for only $10/year, you get additional features such as “give this other Bitwarden account access to some of my passwords if I die”.
  3. All websites I use other than Bitwarden itself have their username/password in Bitwarden. I don’t know any of the passwords in my head.
  4. For websites that support FIDO2 U2F, I do that. I have both Yubikeys registered.
  5. For websites that don’t support that but do support TOTP, I do that. I use my Yubikeys, and I make sure to have both keys on me when I set up a new website, so I can scan the QR code into both keys and get the same 6-digit codes on each.
  6. I don’t like using my Bitwarden to store 2nd factors at all. Keeping a password and a corresponding TOTP secret in the same place doesn’t seem like a great idea to me.

This all works pretty well and I’m pretty happy with it! But I would like to try Passkeys more. Passwordless login sounds really great to me, and there are also security reasons why they’re better than passwords, better than TOTP, and much much better than SMS-based 2FA or not having 2FA at all.

So here are my login-related goals in the coming years. This was hard to figure out, but I spent a couple dozen hours on it and I think I’m pretty happy with this plan:

  1. I’m not going to change anything about my Bitwarden login. I’m happy with the way it is now. FIDO2 U2F is really pretty good, and going passwordless would make me nervous even if it’s technically just as secure. Maybe I’ll revisit this later.
  2. Some critical accounts, I can’t do better than I am now. (The banking industry is really annoying about this! Why do they like SMS so much?) I’ll make sure to have the flag on in Bitwarden for my banking accounts so that I need to re-auth to Bitwarden every time I access these passwords. Some banking websites do let me use TOTP, and I’ll keep doing TOTP through my Yubikeys.
  3. For critical accounts that let me use passkeys, I’m going to do this! And I’m going to use my Yubikeys to make hardware passkeys. I don’t want my credentials for critical accounts to be cloud-synced.
  4. For less critical accounts that let me use passkeys…this is the hard one. This is why I needed to spend so long thinking about this, and this is why I’m bothering to write this blog post. Here’s what I’ve learned:
    1. Chrome has pretty good support for setting up passkeys and using passkeys. You’re prompted with options that, for my purposes, boil down to “Where is this passkey? Is it on a hardware key, is it on your Bitwarden browser plugin, or is it on some external thing like your phone?” But I don’t use Chrome much, I use Firefox mostly. Firefox is behind in this support. I can manage to have it check my Yubikey rather than the Bitwarden plugin, but I can’t get it to give me the option to use my phone’s passkey storage.
    2. I don’t really want to store passkeys in Bitwarden, any more than I want to store second factors in there. It’s actually probably fine, but I haven’t convinced myself of that yet.
    3. One thing about using passwordless login with passkeys is that you end up doing it a lot more often than you do a 2nd factor with a password-based login. I don’t want to have to plug in my Yubikey every single time I log in to a non-critical account; that feels like it will get annoying. (One nice thing about using TOTP is that you can look at the 6 digits on one device and enter them on another. Or it can be the same device. Up to you. If you’re using a hardware key as a passkey, though, you have to plug it into the same device. Sometimes that’s much more annoying, especially since my Yubikeys don’t have NFC support.) Also, my Yubikey can only support something like 25 discoverable passkeys, and I feel like I’ll bump up against that limit pretty quickly if I use it for everything.
    4. Phone-based storage of passkeys is pretty secure, given modern phone security. It’s a bit more obvious how to do it on iPhones, but I figured it out on my Android anyway. The real hurdle for me was realizing that I wasn’t getting anywhere with Firefox on my laptop. Once I started testing out the workflow with Chrome, it went fine.
    5. So I think my plan is to wait until Firefox support for passkeys gets better, and then start moving my non-critical logins to phone-based passkeys.
  5. My goal will be to remove sites from Bitwarden entirely once I have them set up with Passkeys. Or maybe I’ll store a password in there as a backup, but the plan will be that Bitwarden isn’t a part of my login flow for sites where I’m using passkeys.
  6. I think I might need one more place to store things like backup codes, maybe TOTP secrets (in the form of the QR code you get when you first set it up), maybe a 3rd hardware key as an emergency backup, etc. I haven’t decided yet if I want this to be a digital place (a second password manager?) or a physical place (fire safe in my house?). I don’t want backup codes and TOTP secrets in Bitwarden for the reason I’ve addressed already: I don’t want to make Bitwarden a single point of failure for sites that I’ve so carefully set up a good 2nd factor or passkeys for.
  7. Yubikey hasn’t released a new model in awhile, so I’m exploring options for other brands of keys that have a much higher resident passkey storage limit (and a slightly higher TOTP storage limit too). Or maybe I should just get a new Yubikey; mine is a slightly older model than their newest, which doesn’t do NFC (I can plug it into my phone’s USB port but it’s a bit fiddly) and which has no real ability to manage resident passkeys.

Any questions? Uh, comments are off, so if you know another way to reach me, ask me there! Have a good day, and I’ll write to you again in 2035 or so.