Authentication Apps and Password Management

---

Password Manager Selection

Bitwarden

Feature	Details
Encryption	AES-256, PBKDF2 SHA-256, Argon2
Pricing	Free (personal), $10/year (premium)
Self-host	Yes (Bitwarden_RS)
Open source	Yes
Audit	Third-party security audits annually

Installation

Windows/macOS: bitwarden.com/download
Linux: snap install bitwarden
iOS/Android: App Store/Play Store
Browser: Chrome/Firefox/Edge/Safari extensions
CLI: npm install -g @bitwarden/cli

Basic Commands

bw login username@email.com
bw unlock
bw list items
bw get item "github"
bw generate --length 20 --uppercase --lowercase --numbers --special

Self-hosted Setup

docker run -d --name bitwarden \
  -e WEB_VAULT_ENABLED=true \
  -e SIGNUPS_ALLOWED=false \
  -p 80:80 \
  -v /bw-data/:/data/ \
  vaultwarden/server:latest

1Password

Feature	Details
Encryption	AES-256, PBKDF2, 128-bit Secret Key
Pricing	$36/year (individual), $60/year (family)
Self-host	No
Open source	No
Audit	SOC 2 Type 2, ISO 27001

Unique Features

• Travel Mode (remove vaults from devices)
• Watchtower (breach monitoring)
• Secure file storage (1 GB)
• Document scanner
• SSH key management

---

Password Manager Setup

Master Password Guidelines

Minimum requirements:
- 12+ characters
- Uppercase and lowercase
- Numbers
- Special characters
- No dictionary words
- No personal information

Example strong password:
Tr0ub4dor&3Xamp!e#2024

Better (passphrase):
correct-horse-battery-staple!47

Emergency Kit

Bitwarden

Print or save:
- Email address
- Master password hint
- Two-step login recovery code
- Secret 2FA key (if applicable)
Store in: Safe deposit box, physical safe, with trusted family

1Password

Emergency Kit PDF contains:
- Email address
- Secret Key (34 characters)
- Master password hint
- QR code for setup

---

Two-Factor Authentication (2FA)

TOTP Authenticator Apps

App	Platform	Features	Backup
Aegis	Android	Open source, biometric unlock, groups	Encrypted JSON
Raivo OTP	iOS	Open source, iCloud sync, search	iCloud/iTunes
2FAS	iOS/Android	Cloud sync, wearables, widgets	Encrypted cloud
Google Authenticator	iOS/Android	Simple, Google integration	Cloud (new versions)
Microsoft Authenticator	iOS/Android	Push notifications, number matching	Microsoft account
Authy	iOS/Android	Multi-device, encrypted backups	Authy cloud

Aegis Setup (Android)

1. F-Droid or Play Store install
2. Set biometric unlock
3. Add accounts:
   - Scan QR code
   - Manual entry (base32 secret)
4. Organize with groups: Work, Personal, Finance
5. Export encrypted backup to cloud storage
6. Enable automatic backups

Raivo Setup (iOS)

1. App Store install
2. Enable iCloud sync or local only
3. Import from Google Authenticator (scan export QR)
4. Set app lock: Face ID / Touch ID
5. Sort by issuer or account
6. Backup to encrypted iTunes backup

---

Hardware Security Keys

YubiKey 5 Series

Model	Connection	Features
YubiKey 5 NFC	USB-A + NFC	FIDO2, PIV, OpenPGP, OATH, FIDO U2F
YubiKey 5C NFC	USB-C + NFC	Same as above
YubiKey 5 Nano	USB-A low-profile	Same, no NFC
YubiKey 5C Nano	USB-C low-profile	Same, no NFC
YubiKey 5Ci	USB-C + Lightning	iOS + desktop support

FIDO2/WebAuthn Registration

1. Insert YubiKey
2. Visit security settings (e.g., google.com/security)
3. 2-Step Verification → Security Key → Add
4. Touch key when prompted
5. Name the key (e.g., "YubiKey 5 NFC")
6. Register backup key

Google Titan

Model	Connection	Features
Titan Security Key	USB-A/NFC	FIDO U2F, FIDO2
Titan USB-C	USB-C/NFC	FIDO U2F, FIDO2
Titan Bluetooth	Bluetooth/NFC/USB	FIDO U2F, FIDO2

SoloKeys (Open Source)

Model	Connection	Features
Solo 1	USB-A	FIDO2, open source
Solo Tap	USB-A + NFC	FIDO2, tap to authenticate
Somu	USB-A tiny	FIDO2, minimal size

---

2FA Implementation Strategy

Account Prioritization

Tier 1: Critical (Hardware Key + TOTP)

• Email providers (Gmail, Outlook)
• Password managers
• Banking/financial
• Cloud storage (Google Drive, Dropbox)
• Domain registrars

Tier 2: Important (TOTP minimum)

• Social media (Twitter, Facebook, LinkedIn)
• Communication (Slack, Discord, WhatsApp)
• Shopping (Amazon, eBay)
• Utilities (GitHub, cloud servers)

Tier 3: Standard (TOTP or SMS if no alternative)

• Forums, newsletters
• Minor services
• Trial accounts

Backup Codes

Generate and store securely:
- Print physical copy
- Store in password manager (encrypted notes)
- Keep in safe deposit box
- Never store in cloud unencrypted

Format: 8-10 single-use codes per account
Usage: One code = one login, then invalidated

---

Passkey Implementation

Supported Platforms

Platform	Passkey Storage	Sync
Apple iCloud Keychain	iPhone/iPad/Mac	iCloud
Google Password Manager	Android/Chrome	Google account
1Password	Cross-platform	1Password cloud
Bitwarden	Cross-platform	Bitwarden cloud
Windows Hello	Windows devices	Microsoft account

Creating Passkeys

Apple

Settings → Password → [Website] → Set Up Passkey
OR
Safari login prompt → "Save passkey"

Android

Chrome/Edge login → "Create passkey"
Choose: Device or security key
Authenticate with biometrics

1Password

1Password → New Item → Passkey
OR
Browser extension → Save passkey to 1Password

---

Enterprise Implementation

SSO Integration

SAML Configuration

<!-- Example Okta SAML -->
<saml:Assertion>
  <saml:Issuer>https://company.okta.com</saml:Issuer>
  <saml:Subject>
    <saml:NameID>user@company.com</saml:NameID>
  </saml:Subject>
  <saml:AttributeStatement>
    <saml:Attribute Name="Role">
      <saml:AttributeValue>Admin</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

OIDC Configuration

{
  "issuer": "https://auth.company.com",
  "authorization_endpoint": "/oauth2/authorize",
  "token_endpoint": "/oauth2/token",
  "scopes_supported": ["openid", "profile", "email", "groups"],
  "response_types_supported": ["code", "id_token"]
}

Conditional Access Policies

Azure AD Example:
- Require MFA for all users
- Require compliant device for admin roles
- Block legacy authentication
- Require approved apps for mobile access
- Block access from high-risk countries

---

Password Rotation

Automated Rotation

AWS IAM

import boto3
from datetime import datetime, timedelta

def rotate_access_keys(user_name):
    iam = boto3.client('iam')

    # List current keys
    keys = iam.list_access_keys(UserName=user_name)['AccessKeyMetadata']

    for key in keys:
        create_date = key['CreateDate']
        age = datetime.now(create_date.tzinfo) - create_date

        if age > timedelta(days=90):
            # Create new key
            new_key = iam.create_access_key(UserName=user_name)['AccessKey']

            # Update applications with new key
            update_applications(new_key['AccessKeyId'], new_key['SecretAccessKey'])

            # Deactivate old key
            iam.update_access_key(
                UserName=user_name,
                AccessKeyId=key['AccessKeyId'],
                Status='Inactive'
            )

            # Delete after confirmation period (7 days)
            # iam.delete_access_key(UserName=user_name, AccessKeyId=key['AccessKeyId'])

def update_applications(access_key_id, secret_key):
    # Update CI/CD pipelines, applications, etc.
    # Use AWS Secrets Manager or Parameter Store
    pass

Database Credentials

import secrets
import psycopg2

def rotate_database_password():
    # Generate new password
    new_password = secrets.token_urlsafe(32)

    # Update database
    conn = psycopg2.connect("postgresql://admin:oldpass@localhost/postgres")
    cur = conn.cursor()
    cur.execute(f"ALTER USER app_user WITH PASSWORD '{new_password}'")
    conn.commit()

    # Update secret manager
    update_secret_manager("db-password", new_password)

    # Rolling restart of applications
    restart_applications()

---

Recovery Planning

Shamir’s Secret Sharing

Split master password into n shares, require k to reconstruct.

Example: 3-of-5 scheme
- Share 1: Trusted family member A
- Share 2: Trusted family member B
- Share 3: Safe deposit box
- Share 4: Attorney/executor
- Share 5: Physical safe at home

Any 3 shares reconstruct password.
Any 2 shares reveal nothing.

Implementation (Python)

from secretsharing import SecretSharer

secret = "correct-horse-battery-staple"
shares = SecretSharer.split_secret(secret, 3, 5)
# Returns 5 shares, any 3 reconstruct

reconstructed = SecretSharer.recover_secret(shares[:3])

Emergency Access

Bitwarden

Settings → Emergency Access
- Trusted emergency contact
- 7-day waiting period
- View-only or takeover access

1Password

Settings → Emergency Kit
- Share Secret Key and master password hint
- Family organizer can recover accounts
- 1Password support (identity verification required)

---

Security Monitoring

Breach Detection

Have I Been Pwned API

import requests
import hashlib

def check_breach(password):
    # k-Anonymity: send first 5 chars of hash
    sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
    prefix = sha1[:5]
    suffix = sha1[5:]

    response = requests.get(f"https://api.pwnedpasswords.com/range/{prefix}")
    hashes = response.text.splitlines()

    for h in hashes:
        hash_suffix, count = h.split(":")
        if hash_suffix == suffix:
            return int(count)

    return 0

# Check if password appeared in breaches
breach_count = check_breach("password123")
if breach_count > 0:
    print(f"Password found in {breach_count} breaches")

Bitwarden Data Breach Report

Tools → Data Breach Report
- Checks usernames against known breaches
- Checks passwords against HIBP database
- Reports exposed accounts

---

Migration Procedures

From LastPass to Bitwarden

1. LastPass → Advanced → Export → CSV
2. Bitwarden → Tools → Import Data
3. Select LastPass (csv)
4. Upload exported file
5. Verify imported items
6. Delete LastPass export file securely
7. Disable LastPass account

From Google Password Manager

1. passwords.google.com → Settings → Export passwords
2. Chrome password manager → Export
3. Bitwarden/1Password → Import → Chrome (csv)
4. Verify all entries imported
5. Disable Chrome password saving
6. Remove saved passwords from Google

---

CLI Automation

Bitwarden CLI

# Login
bw login username@email.com
export BW_SESSION=$(bw unlock --raw)

# Get password
bw get password github.com

# Get TOTP code
bw get totp aws.amazon.com

# Generate password
bw generate --length 32 --uppercase --lowercase --numbers --special

# Create item
bw create item '{"type":1,"name":"New Account","login":{"username":"user","password":"pass"}}'

# Sync
bw sync

1Password CLI

# Signin
eval $(op signin my.1password.com user@email.com)

# Get password
op get item "GitHub" --fields password

# Get TOTP
op get totp "AWS Console"

# Create item
op create item login --title="New Service" username="admin" password="generated"

# List items
op list items --tags work

---

SSH Key Management

1Password SSH Agent

1. 1Password → Developer → SSH
2. Generate or import SSH keys
3. Enable "Use the SSH agent"
4. Configure SSH:

~/.ssh/config:
Host *
  IdentityAgent ~/.1password/agent.sock
  AddKeysToAgent yes

Traditional SSH with Passphrase

# Generate key
ssh-keygen -t ed25519 -C "user@email.com"

# Add to agent
eval $(ssh-agent -s)
ssh-add ~/.ssh/id_ed25519

# Copy public key
ssh-copy-id user@server

# Config for multiple keys
~/.ssh/config:
Host github.com
  IdentityFile ~/.ssh/id_ed25519_github
  User git

Host work-server
  HostName 192.168.1.100
  User admin
  IdentityFile ~/.ssh/id_ed25519_work