Bitwarden browser extension has an option that’s on by default.
This works great when a login requires a password as a first step, and TOTP as the second step (2FA).
With the advent of passkeys, however, a new issue has arisen. Once you’ve replaced the password with a passkey, this no longer works. That is, using autofill for the passkey as the first login step, no longer automatically copies the TOTP to the clipboard (to be used for the second step).
I propose to introduce the same TOTP functionality (currently used with passwords) when using passkeys
I am not quite sure if this should be classified as a feature or a bug, so a few extra details below. Tested on: Chrome Version 121.0.6167.185 (Official Build) (64-bit), Bitwarden Chrome Extension 2024.2.0 Websites (Passkey + TOTP): Amazon, Ebay.
I hardly see a reason to implement this because passkeys already have 2FA built-in, meaning you don’t need a separate 2FA if you’re using passkeys. This makes even less sense if you would use Bitwarden to store both the passkey and the TOTP seed. Exactly what kind of security benefit do you think this setup would provide?
There is actually functionality for auto-filling TOTP codes, so you should just be able to press Ctrl+Shift+L to auto-fill the TOTP field, which is not much more difficult than pressing Ctrl+V.
Unfortunately, the TOTP auto-fill does not work on every site, and there is not support for defining linked custom fields to mitigate such issues.
My point is that I think it would make more sense to ask for improvements to make TOTP auto-filling more robust.
Hmm, I have never really considered passkeys being as 2FA in themselves. I just figured they help with things like bruteforce attacks and plaintext sniffing. That’s on me.
I guess there would still be some reduced benefit to using TOTP together. For instance, a flaw is discovered in passkey design, or there is an issue with the passkey implementation on a specific website which allows an attacker to bypass it altogether somehow.
Oh yes, I’m aware. However, since I use “lock immediately” for my vault, I’m often not quick enough for that. I really wish you could set seconds not just minutes for the automatic lock. Maybe it would make more sense to request that feature instead.
Is TOTP autofill after, CTRL+SHIFT+L website specific? It seemed to work on every website, until some recent update to the chrome plugin. I only noticed it not working, this past week, when my CTRL+V after started to paste things I had copied prior to CTRL+SHIFT+L.
Update: there’s an option(settings>options>“copy TOTP automatically”) to automatically copy TOTP, and it was deselected. Not sure how it got deselected, but hopefully that resolves my issue.
Hi,
Like micky a few days ago, not sure how many, the CTRL+SHIFT+L and CTRL+V were working but now the CTRL+V for the TOTP no longer works.
I’m on Ubuntu Mate 22.04.4, but I only recently upgraded a couple of weeks ago from Ubuntu Mate 20.04.6 and the problem had already started then. In all cases I’ve been using the latest version of Firefox. It seems that the problem started after an update to Bitwarden, as I have Bitwarden installed in Firefox and the desktop version. Although I might not be able to see updates to Bitwarden add-on in the browser I definitely see what programs are updated to the desktop. Hopefully this helps find the bug. Thanks
It is not just you. I have had two updates now uncheck the “copy TOTP automatically”. The fix is as micky suggests, to re-check it (settings>options>“copy TOTP automatically”).
Hi DenBesten,
The “Copy TOTP Automatically” option was no longer selected. After selecting it, it worked right away again. Thanks!
Now it did take a while to locate that option. It’s not in the main account online, or the desktop app, but only in the browser ‘Settings’ and not under ‘Autofill’ as one might expect, but way at the bottom, under ‘Other’ and then ‘Options’.
