Disable Auth App After Adding Yubikeys?

Your 2FA is only as strong as your weakest link. Thus, to get the security benefits of FIDO2/Webauthn, you should disable all other forms of 2FA. If you’re new to Yubikeys, you could temporarily keep TOTP enabled, while you get used to the FIDO2 authentication process and build some confidence in this 2FA method; however, you should disable TOTP as soon as you feel comfortable letting go of the training wheels.

The only exception would be if you need to log in to Bitwarden on a client app or browser that does not support FIDO2 (e.g., the Desktop app for macOS or Linux). Even for those cases, if you have available a second client app that does support FIDO2, you could use Bitwarden Authenticator (on your logged in client) to create TOTP codes for logging in to Bitwarden through your macOS Desktop app, etc. — that would be somewhat more secure than Authy, because only someone with access to your Yubikeys could get your TOTP key.

Finally, as pointed out by @DoctorB, it is highly recommended that you print out your 2FA recovery code and store it in a secure location as an emergency backup (for example, you lose all of your keys, or some weird bug prevents Webauthn from working, etc.).

3 Likes