Difference between work and personal. For personal, you’re right because there is nothing to bootstrap off of.
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.
Separate accounts for work and private. SSO for the work account is perfectly fine for me as a dev and a big advantage for the company. But yes, don't conflate the two use cases.
Difference between work and personal. For personal, you’re right because there is nothing to bootstrap off of.
But in corporate it’s provisioned to a user account that exists first.
My personal bootstrap is two Yubikeys (for redundancy) that contains the password and 2FA for my Proton Pass. This plays the role of what IT would in a company with a user directory.
From this PR:
> A master password is still required and not controlled by the SSO
From the Bitwarden documentation[1]:
> Locking your vault will maintain vault data on the device, so unlocking your vault can be done offline. You will be required to enter your master password or PIN, or use biometrics, but won't need to use any active two-step login methods.
That really ought to quell the majority of the concerns IMO. Though for personal usage I use KeepassXC, because not having any remote authentication at all is even simpler than SSO.
[1]: https://bitwarden.com/help/vault-timeout/#vault-timeout-acti...
So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.
Separate accounts for work and private. SSO for the work account is perfectly fine for me as a dev and a big advantage for the company. But yes, don't conflate the two use cases.
It's most useful for companies, where the goal is as much SSO as possible.