Seriously, You don't know it yet but you are a super hero with a brainiac wonderfulness bro. Keep doing what you are doing. I'm your loyalist fan ever!!!! So proud of all that you are doing. I've watched every video at least 2x!

Your channel is a rabbit hole 🕳 (in a good way!)

I enjoy what you're doing. Great information and point of view.

Why you have a less subscriber ? i never comment any you tube video but i do for you kepp doing your great work i like your every video and i blindelly trust your every advise on privacy topic

Another OpSec consideration for phone biometrics: if for some reason you are arrested in the US, biometrics can be compelled by the courts. So if you have a thumb print or face unlock, the court can compel you to unlock the phone via biometrics. They cannot legally compel you to enter in a password though.

Hi Sun, I recently found your channel and I’m loving it. What are your thoughts on using a password manager such as 1password and then a separate authenticator app on the same computer tied to a hardware token (such as a yubikey, with yubikey authenticator)? That should satisfy infosec as well as opsec, since the hardware is needed to open the authenticator. Am I right? In the case of the yubikey I believe the TOTP hashes are actually stored on the hardware key, not the in the software auth app.

your videos are short and good

Hey Sun, last video you recommended 1Password, because it enables you to locally sync your vault between your laptop and your phone. In this video on the other hand, you say that you should never ever put your password manager on the same device as your 2FA app. I am confused :D Do you use your password manager on your phone or not? By the way, congrats to 10k subscribers!

Hi Sun thank you for doing this amazing work. Looking at yubikey, which ones are the better choice out of security key c nfc (FIDO only) vs yubikey 5c nfc (OATH-TOTP, PIV/Smart card, as well as FIDO). Is FIDO the golden standard? IAgain thank you for your work!

Great video Sun. But when you have a passeord manager synched through local vault with your phone, doesn't that mean you have both the password manager AND 2FA on the same device? Obviously you would need the password manager on the phone too.... Ideas on this?

I hope you will do a recap episode about where to keep a password manager app (with its database) and where to keep the OPT authenticator app. And how to safely backup both in similar scenario. I suppose we should not keep both app/files in the same device (laptop/smartphone), for example is it suggested to use smartphone to receive OPT codes only and laptop to get access to password manager database only (in order to limit the compromised data in case of a device gets hacked). If making a similar split makes sense, do you think also backups should be performed with different drives, in order to ensure both files are never in the same online device?

Hey Sun, while I understand the risk with biometric authentication... Wouldn’t you agree that for most people it is less likely for a cyber criminal to physically attack them as compared to seeing/record them entering their password in public? In such a scenario, isn’t it better to unlock password manager and payment apps using biometric instead? Also, correct me if I’m wrong, but faceid on iOS require you to be attentive, right?

But having a password manager on one device and the 2FA on another device, will limit you. If you're not at home and you have, let's say, password manager only on your pc/mac, how would you do if you need that?

so I was interested in using Authy and then I heard they were hacked, my understanding is that the multiple device functionality that was vulnerable, and it wasn't the code itself but employees that became victims of social engineering at the root of the issue, would you still be confident in Authy as a solution?

Do you think that Hardware Security Keys is better than TOTP auth (app)?

Dear please can you suport and help me, my 2FA its not work the mail it's OK and password ok when they ask about Google authenticator I but it they said it's not much I have the pickups code,

If he can wack me, he can probably threaten or try to kill me to get the password anyways. So I don't get the point about biometrics. I know it'll be more secure to disable it. But really?

Algorithm.

Btw Android also uses aes for storage encryption. It's probably 128bit. So there's that