Bitwarden has it's own authenticator app?

Ask the Community Authenticator
1

Hi there,

Just seeing this forum and Bitwarden has his own authenticator app?! Can someone answer the following questions regarding it.

  1. Does it work good on iOS 18 and with Bitwarden itself.
  2. Would it be possible to move the 2FA codes I have linked in Bitwarden over to the authenticator without turning it all off and on again?
  3. Why should I use a different app instead of one where my passwords are stored too?
2

@Vlumondoxa Iā€™m a bit lazy this morning, writing answersā€¦ but maybe here are some answers already:

1 Like
3

Thanks @Nail1684! I like your ā€˜lazy answerā€™ :joy:! Iā€™ll check out the links and wait for some more responses.

Thanks! :heart:

1 Like
4

Bitwarden help pages are a really awesome resource.

If you store your TOTP seeds into bitwarden, all eggs are in the same basket. A compromise of your bitwarden account means a compromise of all the accounts stored in it. Even if they have 2SV turned on.

Itā€™s a balance between security and convenience, you have to decide where you feel more confortable.

I have my TOTP seeds in bitwarden, and focus my effort in protecting my bitwarden account.

1 Like
5

This confuses me.

6

I try to translate (@kpiris please correct me if Iā€™m wrong):

ā€œI have my TOTP seeds in bitwarden, and focus my effort in protecting my bitwarden account.ā€

It means, he decided a bit more for the conveniency of using TOTP with the integrated authenticator in the Bitwarden password manager, instead of using the dedicated Bitwarden authenticator app (or any other 2FA/TOTP app for that matter).

And ā€œprotecting the Bitwarden accountā€ would mean something like ā€œthe usualā€ (not a comprehensive list):

  • ā€œstrongā€ master password (most common recommendation: an at least 4-word random passphrase)
  • 2FA for the Bitwarden account itself (preferably FIDO2, as itā€™s the strongest form of 2FA here)
  • probably switching to Argon2 as KDF (instead of PBKDF2)
  • ā€œreasonableā€ unlock interval (= time until it locks again)
  • use auto-fill and drag & drop with Bitwarden - avoid using the clipboard (and just in case: set a short ā€œdelete clipboardā€ time)
  • regular backups
  • having an emergency sheet (with at least the email, master password and 2FA recovery code)
  • and some ā€œbasicā€ security things like using only up-to-date devices (and keeping them up-to-dateā€¦ security updates!), beware of phishing, keep all Bitwarden apps up-to-date, donā€™t use Bitwarden on a (likely) compromised device, no ā€œcircular dependenciesā€ for your Bitwarden account etc.

ā€¦ and this is always important, but all the more if you have ā€œall eggs in one basketā€ (like the TOTP seeds also stored in your vault, as was the topic here)ā€¦ :wink:

2 Likes
7

Hmm a good master password is what I have at Bitwarden and I need to access the 2FA via my Proton Mail which requires me to use my face ID.

8

Just one comment to that: hopefully you donā€™t have ā€œcircular dependenciesā€ here, because if you need access to Bitwarden to access Proton Mail to access Bitwarden (your 2FA)ā€¦ then you still get into trouble if you loose access to Bitwarden in the first place (for whatever reasonā€¦ and put in other words: you need to be able to access Proton Mail - in your case - even if you didnā€™t have access to Bitwarden)

9

Well, I can access Bitwarden on multiple devices so I donā€™t think Iā€™ll lose access to that.

10

Better assume you can loose access (ā€œbetter safe than sorryā€). One server update (e.g.) that automatically logs out all your devices would be enough (and those kind of things can happen).

11

So in short: Bitwarden 2FA to login is useless?

12

No.

My ā€œin shortā€ would be: You have to have a ā€œbackupā€ of your 2FA method and/or must be able to access your Bitwarden-2FA even without access to Bitwarden. (simple analogy: donā€™t let your key for your car IN your carā€¦)

PS: You donā€™t have your key (2FA) in your car (Bitwarden)ā€¦ but if you need access to Bitwarden to get access to your car (2FA)ā€¦ I hope you know what I meanā€¦

1 Like
13

But how would I do that?

14
  1. I guess one first step might to get an overview of all possible 2FA methods. See here and all associated help sites, especially the ā€œGuidesā€ for each method: Two-step Login Methods | Bitwarden Help Center
  2. One important thing as a ā€œ2FA-backupā€ is to safely store the 2FA-recovery code as a ā€œlast fallbackā€ for your 2FA. Of course you also must be able to access that code, in the case you loose access to Bitwarden!
  3. Maybe later in can write more - have an appointment nowā€¦
1 Like
15

So the authenticator would be for example a good backup for 2FAs?

Good luck at your appointment!

16

Your emergency kit should include everything necessary to get back into your vault, presuming the only thing you have is a brand new PC/phone that you just picked up from the store.

Notably, if using MFA, it should include your Bitwarden recovery code. And, if you need access to your email to get back into Bitwarden, it should include your email username, password, and if applicable, its recovery code.

1 Like
17

Seems @Nail1684 has already pointed out the fallacy of this assumption, but it bears repeating: there absolutely are situations in which all of your Bitwarden apps and browser extensions can become logged out at the same time ā€” and without warning. Too often, we see users who become permanently locked out of their Bitwarden vaults (losing access to all of their data) when their Bitwarden apps are unexpectedly logged out. Donā€™t let this be you (or your parents)!

 

On the topic of where to store TOTP keys for accounts that use TOTP as 2FA, for maximum security (which also implies maximum inconvenience), TOTP keys should be stored (and TOTP codes generated) in an app that is installed on a device where you are not also using Bitwarden. Therefore, if a device where you do use Bitwarden is compromised (by malware or physical theft, for example) and your vault is breached as a result, then the attacker will (presumably) be unable to access your accounts ā€” because they do not have access to the TOTP codes which are on a completely different device.

For maximum convenience, get a Premium subscription (or Family plan), and store the TOTP keys in your Bitwarden password manager, which allows the password manager to generate your codes (and to autofill those codes into your login forms). The risk is that you are unable to properly secure your Bitwarden apps (e.g., failing to keep malware off your devices), then your vault could become compromised, allowing an attacker to access all accounts stored in your vault (since they have both the password and the 2FA).

A compromise would be to use the more convenient approach (generating TOTP codes in Bitwarden) only for less important accounts, and use the more secure approach (keeping 2FA away from Bitwarden) for the more important accounts (banks, etc.).

 

There is a good beginnerā€™s guide to Bitwarden floating around the Bitwarden sub on Reddit, and you might benefit from reading it.

1 Like
18

I wonder who wrote that guide. :rofl:

19

Coming back to that point about ā€œ2FA backup for Bitwardenā€ā€¦

Since there are five ways to set up 2FA for Bitwarden (FIDO2, TOTP, email, Yubico OTP and DUO), there are numerous combinations of what one can do. So, in general I would say:

  1. Having the 2FA recovery code is a must as an ultimate fallback for your Bitwarden 2FA. And that you must be able to access, if everything else fails. In your case: if you canā€™t login to Bitwarden and if you canā€™t login to Proton Mail. I myself have that printed out on paper, stored in a safe - and digitally stored as well (encrypted).

[BTW, the 3-2-1 backup rule could be also mentioned in that contextā€¦ in a short version: 3 copies, on 2 different media, at least 1 off-lineā€¦]

  1. As @DenBesten already wrote, in your case, you should also write down your Proton Mail username/email address, password and 2FA backup code (or whatever exists within Proton Mail as a fallback/backup for itā€™s 2FA) on your ā€œBitwardenā€ emergency sheet. That would enable you to access Proton Mail - with the Bitwarden 2FA recover code in it as of today, as you wrote before - even if you lost access to Bitwarden.
  2. Then maybe only for convenience: you could also set up a second form of 2FA for Bitwarden as a ā€œfallbackā€ (but this can also be problematic if it is ā€œinsecurely doneā€)ā€¦ If I understand you correctly, you use email as 2FA for Bitwarden, right? You could also set up TOTP for Bitwarden - and here it is nice, that you can store the TOTP seed code / secret key (or a screenshot of the QR code, which essentially is/contains the TOTP seed code, but it is more comfortable to scan a QR code than type the seed code manually) also on your emergency sheet, so that you can set up that ā€œTOTPā€ again, even if you lost your phone/2FA-app. (BTW, you could also only use TOTP that way, and deactivate email 2FA, if you wanted)

So essentially, the main points again: 2FA recovery code as the ultimate fallback - and maybe more than one form of 2FA (e.g. email and TOTP) or a form of 2FA which allows ā€œa backupā€ in itself if you will call it that way (e.g. TOTP/TOTP-app - and storing the seed code/secret key on your emergency sheet).

ā€¦ Hm, I think it was too long. I think it was too confused. It mainly focused the ā€œbackupā€/fallback problematic. I hope, someone can put meaning into my writings. :sweat_smile:

20

So, how do I setup emergency access exactly?