When setting up 2FA security, some sites issue a list of backup codes that they ask you to print out or store securely. My question is, would there be any reason why these codes couldn’t be added into the Notes field for the password form for that site?
This depends on whether you are using the integrated Bitwarden Authenticator or a third-party authenticator app to generate the TOTP codes.
The Bitwarden Authenticator is subject to debate in the user community, with arguments against it saying that it is “putting all eggs in one basket”, and proponents arguing that it is not a significant risk if you keep your vault secure (especially if the vault itself has a WebAuthn/FIDO2 hardware key as its 2FA factor), and that the sheer convenience of using the Bitwarden Authenticator makes you more secure by increasing the use of TOTP on more accounts. The proponents of Bitwarden Authenticator also argue that using a third-party authenticator app on the same device that is running Bitwarden does not remove the “eggs in one basket” risk, because malware on your device could compromise both apps.
I mention the above, because putting your 2FA recovery codes in Bitwarden carries the same “eggs in one basket” risk that has been used to criticize the integrated Bitwarden Authenticator. Basically, if someone gains access to your vault contents, then they will have not only your account passwords, but also the recovery codes for bypassing whatever form of 2FA that you are using with those accounts.
Thus, if are already using Bitwarden Authenticator, then there is no added risk of storing the 2FA recovery codes in BItwarden, at least not for accounts that use TOTP as the 2FA. In contrast, if you have gone through the trouble of securing an account with WebAuth/FIDO2 as the 2FA, then you may want to think twice about storing the corresponding 2FA recovery code in Bitwarden.
For any information that you want to store securely outside of Bitwarden, you can use a VeraCrypt container or something similar.
Thank you @grb for a comprehensive and clear reply. Your suggestion to use Veracrypt is exactly what I’ve been doing to date but I was trying to think of a simpler approach. After reading through your response, I think I’ll be sticking with Veracrypt. Many thanks.