Shoulder surfing | Key confusion

Hi,

For our business I am looking to implement 2FA.

I am looking to reduce the risk of ‘shoulder surfing’ by using a key so in the case someone knows the password (keylogger, shoulder surfing) they still need the physical key in order to obtain access to:

  • PC
  • Bitwarden Password manager
  • Protecting Elektrum seed / password (in one case)

Some of these offers are ‘passwordless’ while others seem to work with a pin, that can be circumvented with the passphrase if you do not have the key at hand.

What key and setup would be the best defense against shoulder surfing?

Fido2 is the best solution as it requires the physical key to log in. However lots of sites don’t support it. The best supported option is TOTP, however it is not as secure as FIDO2 because if you had a keylogger you could theoretically capture the 6 digit code as its typed in and if fast enough use it. If a site supports FIDO2 you should use that, if not TOTP is a good option.