theonlykl

What’s funny working in the cybersecurity space is we’ve actually adopted Bitwarden I’m out org. Now, with that said to your point not all our eggs are in one basket.

Most of our auth (if not all) relies on another mechanism for authentication. Typically some other 2FA mechanism that isn’t stored in our org Bitwarden vault. We enforce that separation with the assumption that if our vault is compromised the core aspects of the business easily accessible isn’t necessary breached.

The break glass accounts / etc that are not protected by 2FA are 99% of the time locked down to only be able to use that use from very specific subnets and or source systems. The ones that are accessible outside (say a AWS account) is always locked down with a hardware key. This isn’t fool proof either as technically in a very targeted attack you could focus on the admin/IT user and work your way through their system. To your point…it’s Electron based, but we also found not offering it and making it easy for the typical user often led to even worse practices being adhered to.

We’ve embraced Bitwarden at this point pretty heavily, but at some point we will be rolling our own instance and migrating that way. This will allow a bit more separation and control for more of our break glass based accounts.

Current have two Yubikeys for personal use. One is a backup and remains in a fireproof safe, while the other is on my most / all of the time via my keyring. Agree the individual side is a bit more complex.

For me I took the approach of not relying that much on cloud services and rolling a lot of it myself. My data then gets backed up to a backup repository via borgbase in the EU. Usually try to follow the 3,2,1 rule for backups. Three copies of your data on two different medias with one copy offsite (ok the two different medias thing i cheat a bit and have a couple extra disks).

The enterprise side we’ve talked about implementing Yubikeys in the org, but havent gotten all the buy in on that yet.