2FA Confusion - Best Setup with MS365 and Bitwarden

I’ve been using BW for the past year, and really like the fact that I can get OTP directly from BW - great feature.

I’m also a MS365 subscriber, and that service uses Microsoft Authenticator which I also like. I gather that this does not work with BW OTP though? Add to this that I’d like to put 2FA on my BW master password but the potential to lose access, frankly scares me to death.

Want to know how others have organized their life to best utilize 2FA, to get the best in security, and ensure recovery, particularly with MS365. I’m an old guy feeling stupid and would appreciate suggestions/help.

I use both Bitwarden and Authy to store TOTPs. That is, when I obtain a 2FA key, I add it to both BW and Authy at the same time. I prefer to use BW but I have Authy as a backup in case something goes wrong. I definitely enjoy that generating TOTPs in BW means I can access them anywhere I can reach my vault, which is handy. I am also able to store my Steam Guard 2FA key in BW, which means I don’t need to have the Steam app installed on my phone.

Authy, Google Authenticator and Microsoft Authenticator are all similar, with a few functional differences. It used to be that MS and Google didn’t use cloud backups for TOTPs, while Authy did, but they all have that feature now.

One thing I especially appreciate about having my TOTPs in Bitwarden is that Bitwarden will tell me what accounts I have that I can enable TOTPs for but haven’t yet.

With regard to enabling 2FA for my Bitwarden Vault: I have DUO Push enabled (for 2FA push notifications to my phone); I store my Bitwarden Vault’s 2FA key in the vault itself and in Authy; and I have my BW 2FA Recovery Code printed out as a nondescript QR code, laminated, and stored somewhere.

1 Like

Thank you! Some new information. :slight_smile: Agreed, love the TOTP in BW!

Not familiar with DUO or DuoPush. Is that like standard 2FA where you get a call? If you lost your phone would you then need to go to your printed recovery code?

Thank you, again!

That is why you should more than a single 2FA option:
For my most important account of all (Bitwarden) I have DUO, TOTP via Authy, WebAuthn and my Yubikeys. Perhaps a little overkill, but better safe than sorry.

It’s tied to the DUO app on a specific device that you pair with your DUO account. DUO Push sends notifications to that device through the installed app. If you can’t use that device anymore for whatever reason, you will need to login to your DUO Admin account (on the web) and pair your account with the app on a new device.