> Strong support for the strategy of not putting your TOTP/MFA in your password manager
Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place.
Password managers assumes a non-compromised device. I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.
A password manager + built-in TOTP on a dedicated device is fine for most general usage. Important TOTPs can go to Yubikeys.
> I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.
The crypto people tried this with hardware only password managers but they were too annoying. I have a halfway solution of using pass with Yubikey/GPG where each password decryption requires a touch. It does protect against the entire vault being decrypted at once and exfiltrated.
> tried this with hardware only password managers but they were too annoying
And besides that, ultimately if the computer you're using been compromised, whatever you do on that computer can be mucked about with, so while the password sits safely on the hardware, once you're logged in in the browser, the cookie is just sitting there. I guess you'd get furthest isolation with Qubes et al, but with a regular Linux installation you'd still be exposed with a hardware password manager, if the installation been compromised.
> Agreed, but I think using the same device to access your password manager and for dev
Almost all development I do, and most others, are on our projects or projects we're at least interested in, and most likely dove into, that's why we're developing in them in the first place.
In this case, it seems like the developer wasn't actually developing anything, but playing around with image generation on his time off, for fun, and ended up pulling down a random 3rd party thing and got compromised that way. Very different from "for dev" I'd say.
Besides, didn't most developer start isolating projects from each other when the first npm worms started to appear? I know I stopped running `npm install` in the same environment I do my banking, and drastically reduced the amount of random 3rd party stuff I have, still use all the same device though. Even have a Windows install on the same computer, booo!
>Agreed, but I think using the same device to access your password manager and for dev is asking for trouble in the first place.
That seems somewhat unrealistic? There are many passwords you need to use as part of dev work.
But it's a hassle to have at least 2 yubikeys in case you lose one. And since you regularly sign up for new websites with OTPs, gotta keep them in sync. So always carry both with you. And if you carry both, then it's easy to lose both at the same time.
UPDATE: also gotta keep track separatelt of non-resident passkeys tied to Yubikey, because Yubikey doesn't know where it was used for non-resident. If you lose one yubikey, need to sync all passkeys to a new replacement one.
I add a note in the password manager's notes field for sites where I've added Yubikeys as the second factor. I can get the list of the sites using search, and from time to time I go through them to check if a backup key needs to be registered. I create new accounts infrequently.
Would be nice if you could get an exact clone of a yubikey, so you always have a spare in case you lose one.
Though I think there is also the option that sites can store some sort of identifier on the key, then this would not work:/