2FA for Bitwarden Vault

I recently upgraded to premium in order to use the 2FA feature. I was using Authy and it works, but can be a bit clunky at times not syncing and stuff like that.

I have 2FA setup for my vault with Authy, but recently changed it to Bitwarden and I learned a really good lesson as you can imagine :man_facepalming:.

Entered my password, then couldn’t log in because the 2FA is in Bitwarden now :rofl:.
Thank God I had the an email setup as backup for the 2FA and was able to login to my vault.

What do you guys recommend doing for 2FA for your vaults… email? or a separate Authenticator?

1 Like

I recommend using a Yubikey or similar hardware key set up as a FIDO2/Webauthn authentication factor.

1 Like

Yeah, have to watch the circular dependency stuffs.

Because you want to use BW for TOTP code generation, you should use a hardware key (WebAuthn/FIDO2) for your BW just to make sure that you cannot be phished. Some people would recommend disabling the email 2FA to remove the weakest link, but in this case, you need to absolutely make sure to write the BW’s 2FA recovery code down, just to make sure even if you don’t have your hardware key, you can access BW (disabling the 2FA authentication).

You should think about making backups as well. If you have backups, even if you can’t access BW at all, you can delete the old account and restoring from your backup. This is of course, the last resort, as you will need to get in touch with support to re-enable your paid status.

100% agree on this one. I use Yubi’s for both methods of access. TOTP on a Yubi is nice because no online service - Authy, Google, etc… have my stuff stored there. Someday it will be nice when/if Android will work well with full Yubi and we don’t have to rely on TOTP via phones.

For me I would hate to have to carry around another device with me that would live on a keychain. What about the times you’re home and outside with the kids and keychain is inside.

We always have our phone with us, and therefore would love for someway where the phone could be the hardware token with the option to setup another hardware device as a backup (such as a yubikey) in case the phone is damaged.

I get that a yubikey is the most secure, but for a simpleton like me… I don’t even carry my house keys with me. I only carry my car key fob and always enter my house through the garage lol. I don’t like carrying extra nothing with me. Besides, why would I need a yubikey if the only device I would use when not at home is my iPhone?

Yubikey is not for me. I guess the next best thing is 2FA Auth app and/or email as backup.

Can yubico or even Bitwarden come up with something where within their app uses your iPhone and then can utilize something like a push notification to your device to accept a login access? The app would have the specifics of your iPhone as a hardware like token/device.

Premium accounts allow DUO to be used as a 2FA provider, and DUO has an option for push notification of OTPs to mobile phones.

This is what I currently use, DUO push.

Now that I’m recalling, it’s not 2fa where the shortfall is but the password. Wishing for the passkey option with Bitwarden and to use the mobile iPhone as a way of authenticating.