Bitwarden could be linked to my email account.

It’ll be great if Bitwarden could use Gmail API to know when the “confirm your email” comes in, and copy the verification token automatically.

I do not think it is a good idea to favor one email provider/client over another. Google should be even less favored in light of the “monopolostic” practices they have been exhibiting for the sake of extreme data collection for targeted advertising.

Website owners instead should be pressured to prefer TOPT authentication with a pre-shared secret like authenticator apps. Bonus, Bitwarden directly supports TOPT with an integrated TOPT authenticator function as easily accessible as a password for a login.

Now website owners prefer OTP where they alone generate a code and send it to the user via a pre-shared method such as SMS or e-mail. Ironically, most software used to generate the codes they do send can also support TOPT, they just don’t use the feature. SMS/email OTP is “good enough” in their eyes.

SMS is the least secure, mostly security by obscurity. Modern email goes across encrypted connections and using no third-party relays so is more secure than SMS, but there is still some legacy emailing out there with out encrypted connections and/or using third-party relays. Legacy email as such is like sending it via postcard rather than in an envelope which could be a security envelope.

Smirk.

Regarding 2FA/OTP, one needs to not let “perfect become the enemy of good”. Password+SMS is substantially better than a password alone.

I suspect the reason my bank prefers SMS over TOTP is that they maintain more control over where it is used. When I recently switched providers, my bank detected it and disabled SMS until I let them know the change was mine. From their perspective, I can see this advantage over TOTP or email.

TOPT is not perfect so no danger of it becoming the enemy of the good. But, SMS barely qualifies as good. I will acknowledge that Password+SMS is better but certainly not substantially better than password alone.

My beef is with the websites which have already done most of the hard work to support OTP with tools that can support TOPT but do not go the little bit more to also support TOPT.

Do a little research on SMS hacking and you will be appalled at how easy it is to spoof and intercept. The technology goes back to the 80’s. The security is nearly non-existent and has not really changed since.

I have seen SMS OTP referred to as 1.5FA and I think that may be generous.

Where a financial institution provides only for SMS confirmation, one option (given a current phone and a willingness to pay) is to have a second, dedicated phone number known solely to the relevant institution’s computer, unused for any other purpose. The security by obscurity here is simply that the target for a spoof message is unknown to the criminal. Anything sent to one’s publicly known number is automatically untrustworthy. Anything to the ‘secret’ number can be considered further.

SMS barely qualifies as good

I think you misunderstand my position. It is not that SMS is a “great choice” (nor is “reset by email”). But rather that we need to be careful with our messaging. “SMS bad; TOTP good” may be a decent call to action for a technical audience. However, one needs to be aware that those with little appetite for complexity are also listening.

Since we don’t want anyone to stop listening after “SMS bad”, and sticking with a password alone, I prefer “No-MFA bad; SMS good; TOTP better; Passkeys best”. And, today, I would declare success at TOTP (Time-based One-Time Password – TOTP) for production-use because Passkeys still have some growing-up to do.

Even the worst OTP mitigates the risk of a replay attack and those associated with password-reuse, which is why I feel it substantially better than a static password alone. Sure, SMS will not stand up to a targeted attack, but opportunistic attacks are the ones we all face every day.

TOPT 2FA authentication in Bitwarden far more convenient to use than SMS OPT. I chose TOPT here for 2FA because of that.

I can login to this site faster and easier than at any of my banks’, paycheck’s, auto insurance’s, health insurance’s, healthcare provider’s, cellphone carrier’s, electric supplier’s, internet provider’s, etc’s websites whom all have moved to 2FA as they should because those are all important. I have to wait for the code to arrive via SMS or email. Hoping it arrives before the timeout (5 minutes for one site). Then copy and paste if I am lucky that they have decided pasting is bad so disabled it in the web form. Some have also chosen such short session timeouts that I have to login (and wait for the code) one or more times to get done what I logged in for.

TOPT in Bitwarden (or another authenticator) has the code right there, no waiting. The few sites I use that offer it (mostly forums) are so much easier to login. It is shameful that these forum sites are more secure and easier to use than most of the more important sites I use.

I do use hardware and passkey 2FA/MFA when available on the four sites I use that offer. It is a little less convenient than TOPT but these sites “hold the keys to the castle” so to speak being the Bitwarden vault site, and my email providers for account recovery for all the SMS/email OTP only sites. It is the best I can achieve.

We need more users to demand better of these SMS/email OTP 2FA sites in both convenience and sucurity. And realistically, these sites already have invested in the foundation and framework for TOPT.