Dedicated Two Factor Authentication (2FA) App

Password managers, TOTP managers, and cryptocurrency wallets are all domain-specific secrets managers with the same fundamental security model. However, the BitWarden password manager is commonly installed as a browser extension and is at greater risk of being exploited through a XSS attack, browser exploit, or side-channel leak. A dedicated 2FA app that enforces a stricter security model than the standard password manager would be a good compliment to the existing BitWarden suite.

There is room in the market for a solution from BitWarden. Most online reviews suggests Authy or Duo [1, 2], neither of which allows transferring tokens from iOS to Android. There are a few FOSS 2FA apps, but they appear to have a ~5 year lifespan and none have received a code audit. A pro version of the app could allow synchronization/backup across ecosystems. If the free app becomes a top contender, it would drive sales to the password manager.

IMO, the only way to meaningfully defend against brute force attacks against a phone pin and low quality user passwords is via a hardware security module. Apple and Google use HSMs to protect user backups, so BitWarden could just reuse their infrastructure. Backups and sync not protected by a HSM should instead be protected by a randomly generated private key. The setup for a new user would be similar to that of a cryptocurrency wallet, where the user is expected to print out a QR code or manually transcribe the secret key using a mnemonic.

The app should also live in its own memory space, so no browser extensions, etc. The limited scope of the app could be used as an opportunity to refactor some of the codebase.