2FA for each password?

Hey everyone,

Is it possible to safe each password with a 2FA Key like yubikey?

I am looking for an alternative for Trezor Password Manager which is being discontinued.
There it was so that each password request must be confirmed additionally on the hardware device.
Exactly such a system I am looking for.
I hope you can help me

Best regards


You can do the same thing with Bitwarden except that you use (optionally) your key as the 2FA for the vault itself.

That way you get the same protection, but you don’t need to keep using the key for every site you visit.

That said, you should also enable hardware 2FA on the target websites so that you have to use the key to access them in addition to the site’s password.

If you want to keep all your passwords on the hardware device there is a portable version of Bitwarden you can put on usb key.

If you are fine having the encrypted vault on your computer but want an additional layer of 2FA, you can add a Yubikey via WebAuthn (preferred) or OTP as your second factor.

Each approach solves different use cases.

Is it really the same security?
As it sounds to me, with the master password + 2FA key all passwords are decrypted and are therefore copyable for a possible attacker. However, if each password is decrypted individually, it would only be possible for the attacker to copy each password that I decrypt.
Or where am I wrong?

I don’t think it’s technically possible to encrypt/decrypt on an individual password level. You’d have to have the vault left unencrypted all the time, and just decrypt individual fields or records.

@Pho - First, 2FA is used for authentication, not encryption.

Second, what is your threat model? The only way for an attacker to copy passwords out of your vault is if you allow them to have full access to your computer (either physical access, or by allowing the installation of malware) while the computer is running, unlocked, with your vault unlocked. Perhaps an easier solution is to try to avoid such a situation.

It actually would be technically possible (in fact, each individual field in your vault items is stored as its own encrypted cipher-string). However, this would make working with the vault more cumbersome, and it would be difficult (perhaps impossible) to implement features such as searching and auto-filling.

What are you trying to achieve? Are you trying to create an identical solution to Trezor password manager? If so, it’s not possible as it’s a different security model. For example, Trezor PM is also dependent on a user’s individual Dropbox account for vault security. On its face, while the Trezor approach of approving on the device each password use (identical to crypto cold wallet transactions) is neat, I’m not sure if it’s practical for a cloud-based, centralized password manager. I’m not even sure if it’s necessary.

What’s your threat model? State actor? (you’re already owned) NFT/crypto thieves? (you stand a chance but don’t keep seeds in password managers ever) Malware/keyloggers? (you’re already owned) Your ex wife? (you’re already owned). This will help us understand if a password manager like Bitwarden is appropriate. If you use a long passphrase with a little salt that you never keep electronically, a hardware security key (you must keep a printed copy of the Bitwarden 2FA recovery key), KDF of 600k+, and you export an encrypted version of your vault that you keep offline on a usb key, you have a very secure vault and redundancy. If your threat model proves this isn’t sufficient, I suspect you shouldn’t be using cloud-based storage, which also means the Trezor>Dropbox approach wasn’t appropriate. You also have the option of a password manager like KeepassXC if you want to keep everything local and/or only on your personal cloud service. A notebook and pen may be your most secure approach (not withstanding ex wife).

1 Like