I’m using the current version of Bitwarden on Chrome in Windows. I want to get started using Bitwarden’s autofill for sites that require 2FA. I’m kind of stuck at the start, as I already use MS Authenticator on a few sites that I want to add to Bitwarden. Starting with PayPal, I can’t find how to get PayPal to generate a QR that I can add to Bitwarden. Must I disable 2FA in PayPal and start over?
Likely that you need to disable/reenable. MS Authenticator does not allow export of the TOTP secret key.
One thing to know is that the QR primarily contains the secret key. Once in Bitwarden, you can copy/paste the secret key into the likes of MS Auth at a later date (click “enter code manually” instead of shooting the QR).
Just beware that if you do put your TOTP codes in Bitwarden (or any password manager) you then have all of your cows in one basket.
Someone gets access and the advantages of 2FA vanish into thin air. IMHO it’s best to stick with a separate 2FA mechanism but that’s just me.
Some believe it is better to have one well-protected vault minimizing the attack surface and administrative overhead while maximizing convenience; others prioritize bifurcating credentials into two vaults because a partial disclosure is less impactful than a full disclosure. Neither side is wrong and there will likely never be consensus. The important thing is to understand the benefits of each and decide which one better fits your risk appetite.
Incidentally, there is a third option, peppering one’s passwords, which accomplishes bifurcation even for passwords without TOTP.
Not totally. The primary advantage of TOTP is preventing replay attacks. If somebody shoulder surfs or eavesdrops on your Internet connection, the credentials you used will not work for them when they attempt to use what they just learned.
Thanks. Would Google Authenticator be a better/easier option?
The same would also be true then for passkeys, stored in the Bitwarden vault…
No. I think the most recommended TOTP authenticator apps at the moment are: Ente Auth, 2FAS, Aegis (I think Android-only)… and there is also the Bitwarden authenticator app, which is still relatively new.
Thanks. Looks like Bitwarden is the way to go. If I have Bitwarden fill in the code, would I even need access to my phone if I’m on a PC?
Suppose that’s true.
Oh, I might have created a misunderstanding now. There are two “(TOTP) authenticators” with Bitwarden:
- the integrated authenticator (= using TOTP codes inside the BW password manager vault and apps) → Integrated Authenticator | Bitwarden
- the dedicated Bitwarden authenticator app (= dedicated TOTP app for Android and iOS) → Bitwarden Authenticator | Bitwarden
(your request was about the integrated authenticator first, if I understand it correctly, and in my previous post, I meant the dedicated authenticator app then, as I listed Ente Auth etc.)
BTW, to make it even more complicated: the dedicated BW authenticator app will get a sync function with the BW password manager, so that the distinction between integrated authenticator and dedicated authenticator app might get cracks. 
Thanks for pointing this out. I ended up enabling the integrated authenticator. When I enabled 2FA, I got a QR, which seemed to be for Bitwarden as opposed to given outside logon. At that point, I got a bit more confused. What I expected was a Bitwarden stand-alone app that I could integrate with the Bitwarden app/Chrome extension.
Thanks to your comment, I now see the stand-alone app, which I may try, if it’ll integrated with Bitwarden. Doing it that way may be easier for me.
1 Like
I’m not quite sure how you mean that, but if you mean a TOTP-code for the Bitwarden account itself: you can store that in Bitwarden… but please store that also outside of Bitwarden (besides the 2FA recovery code), because it’s a bit problematic, if you want to login to Bitwarden, needing the TOTP code, which is only in Bitwarden, where you’re trying to login to now…
Thanks again for you indulgence, and I see your point. Now, I don’t use 2FA for Bitwarden itself. I use Bitwarden often to fill my creds on my phone, and I prefer convenience over the added security in that environment. Overall, it seems that Google Auth is best suited to my needs.
@JimmyW I’d suggest that you do utilize 2FA to access the web vault. As you’re probably aware there are many methods (hardware key, authenticator app, etc.) but definitely enable something.
1 Like
I agree with @bwuser10000 - 2FA for the Bitwarden account is more or less a must these days. Also be aware of the new device verification, when 2FA is not activated.
… and the better alternatives to Google authenticator were listed above.
PS: I adapted the title a bit… from “Basic use of 2FA with Bitwarden - generating QRs” to “Basic use of 2FA (TOTP codes) within Bitwarden - generating QRs?”…
1 Like