Enhanced support for "Security Questions" and Answers (e.g., capturing, generating, autofilling)

Sorry I misunderstood

Late addition, but IMHO still relevant: how to use a password manager like BitWarden to manage security questions.

Start with basics: Security questions should be treated like passwords.

On many sites security questions are really a single factor of authentication that can get you into an account. Yes, many accounts just have a single security question (including some US government accounts). Sometimes they have multiple security questions, but only ask you one, and answering only one is sufficient to reset your password. And even if they ask you more than one, if all of your security questions are kept together they can be stolen together.

If a site emails or text you a link or a code when you have answered one or more security questions to reset your password, I suppose that is MFA. But some sites don’t bother to do that. And even if they do, in the presence of SIM-hijacking, and the somewhat less common but nevertheless real email hijacking, it’s not that great an MFA.

The risk with security questions is not just that somebody can find you on the Internet. Nor that you might’ve posted about your favorite pet. But if you use the same security questions on multiple sites…

Therefore, security questions should be different per site.

Now, how should a password manager handle security questions? well, password managers are a reasonably good way of handling per site different ideally random things.

Observation: while you could put security questions in the per-site notes for your password manager, many password managers like BitWarden and LastPass display your password obfuscated or blacked out, but display the per-site notes without blacking them out. so if the user has gone Into the password manager to look at a site entry (e.g. because of synchronization problems), then the user is at risk if somebody is looking over their shoulder. Where “somebody” might be a security camera. Do you want to trust the minimum-wage person monitoring the security cameras?

=> if you have a password manager like BitWarden that does not blackout the secure notes, then (a) you should put the security questions (and reset codes) in a separate note that you will need to look at less often. Or possibly (b) kluge: perhaps start the per-site entry note with some innocuous text, but then provide enough blank lines that you would need to scroll down explicitly.

both of these schemes for dealing with password managers like BitWarden that do not blackout the per site notes are suboptimal. (a) It can be a pain to coordinate the per site password entry and the extra per site secure notes – especially when companies and websites change names or have aliases, or SSO, or… it is better if a password manager lets you have a single entry for a site, but allows you to blackout not just the password but also a secure notes or reset codes. (b) scrolling… if multiple secure notes or reset codes are visible at the same time, then more than one thing can be stolen by that hypothetical looking over your shoulder.

=> DESIGN PRINCIPLE: in an ideal world, or at least in a world where there are slightly better password managers than BitWarden, a per-site entry would allow not just actual password to be blacked out in normal presentation, but it would have at least one and ideally multiple, dynamically varying in number, additional blackout-able notes fields. you could probably get away with a single multiline note field, and a variable number of single-line blackoutable fields.

OK, some minor things: IMHO it is best when you can just use conventional randomly produced passwords like hFDo#$9xbim7c*i5E#1E as your security question answers. However, I have encountered websites that constrain security question answers to be only alphabetical, at least N words with blanks, etc. So at the very least the password manager should allow for, say, 60 or 80 characters of any type in a security question answer. And ideally a password manager should provide the ability to generate such random multiword passwords. this loss is lower priority, I can roll dice.

Having a password manager like BitWarden provide multiple blackout fields in the per site entries in addition to password entries is a good start. But it sure would be nice if we could take advantage of matching on website URLs the same way password filling can be triggered.

Minor [supposedly]: IMHO a password manager should never automatically fill in login name and password when you first visit a webpage or sign in box. Not only is that a pain when you have multiple accounts at the same website (e.g. child accounts managed by parents as well as children), but also it’s a security hole — one that BitWarden has apparently been vulnerable to the past, and may still be vulnerable.

But it’s convenient and less of a security hole if the user has the option of explicitly saying “select one of the several possible passwords for accounts that match the site and fill it in”. and it would be nice to have that same ability for security questions.

Of course, if security questions are not asked all that often it’s not bad to have to go and manually (a) find the security note that contains the security questions, (b) remove blacking out so you can (c) copy the security question answers, and (d) paste them in to the answer field.

however, at least one of my retirement accounts asks or at least one of my security question answers every time I login.

Enough for now.

Note: although the above discussion is about security questions, it also applies to reset codes, which are similarly often single factors, or single factors in conjunction with email or text notifications that are vulnerable to hijacking.

One can add custom fields to each password entry. I use custom field with type ‘password’ to hide the content from prying eyes

I just want to add one datapoint from a not-super-dark corner of the internet. The UK government has a service that provides tax relief on payments to childcare providers. The site itself seems to use a cross-governmeint authentication system (password + SMS code), but then every time you want to transfer money to a childcare provider, it asks three security questions. If you have twins (guess who has twins), you answer the same three questions, twice, for every payment.

So for some users autofill for security questions would be great!

So similar to adding custom fields like Hidden, Text, Boolean, Linked.

Make another one for security questions.

So, Hidden, Text, Boolean, Linked, then Security Question.

The field would allow passphrase generation from the field like how the user can with passwords.

So, like a passphrase like “earpiece whacking unreal knoll sauna” with no special characters or numbers.

I think there are already similar feature requests:

• Security questions - track & autofill like a password
• Enhancement to browser extension to allow adding recovery questions and passwords

They seem similar.

I can’t tell if they are specifically talking about the same thing I am though.

The first one is about auto fill and the second one is about extensions and being able to add recovery questions like a password. Similar to how you can save passwords on the website itself through the extension and then being able to auto fill it later. But with backup codes and recovery codes.

I am asking specifically for a custom field, but not for recovery codes or backup codes. But for security questions: like “what is your mother’s maiden name” but to be able to input a random pass phrase that is generated from the field itself. Like a user can with the password field.

If my comment does seem to fit into any of the requests there, I wouldn’t mind if the comment was moved to one of those posted requests.

As I understand it, security questions like your example are (always?) kind of recovery / backup “codes”, because security questions are only relevant, if you loose access to the account.

Two remarks to that:

1. For that reason, I personally wouldn’t save security questions in the same location (here: Bitwarden) as username/email and password (and 2FA or passkeys), because if I lost access to Bitwarden, then I would also loose access to the security questions and that wouldn’t be the idea, I guess…

2. I think the last NIST guidelines discourage security questions… and probably with passkeys too… hopefully there will not be so many services left, that operate with “security questions”.

I get that. But some companies require them to be used.

I have a service that makes me use SMS 2FA and also still asks a security question after successful code input. So they do use them as a multi-factor authentication as well. Sometimes it depends on the site. That have really bad security protocols. I’ve also had some work provider websites have this type of security.

Also writing them all down on a piece of paper would be nice. To have as a backup. But I use random passphrases, usually about 16 words. Some are also random words with special characters that are 100 characters etc, and trying to have them written down for all sites would be too much of a hassle. As I would have too much of a list to make and much to write.

So it’s not ideal to write it down all the time for my use case. I always make a backup of my vault though and store it on a physical USB and an end to end encrypted cloud provider.

I do agree though, security questions need to be obsolete by now. As, they’re incredibly insecure. But it seems some sites still insist on using them.

I didn’t say they have to be written down. I personally store such things (security questions, recovery codes/backup codes, TOTP seed codes/secret keys, …) in a KeePassXC database.

Sorry, I just re-read what you said and I do see that you never mentioned writing anything down. Sorry about me getting that wrong.

That is what I get for reading things too fast and not rereading.

But I personally don’t see the need in having to run a separate password manager just so that I can store security questions. That seems a little counter-intuitive to me personally. As I like keeping things organized in one piece of software. Also just making physical backups will be all that is needed to restore the information than needing to use separate software.

TOTP on the other hand I do use Ente Auth and the new Bitwarden Authenticator.

But I can see why some people may prefer to go your route. But that is just not personally for me.

(Maybe if Bitwarden Authenticator were to get a notes feature to store recovery and other things to TOTP codes. That is as far as I would go in using separate software).

Arguably one shouldn’t store username, password, and 2FA code in the same location but BW allows it. I think it’s up to the user to understand their risk tolerance and threat vectors and make a decision.

So many sites, and corporate companies, still require regular password changes – which NIST stopped recommending eons ago. Companies are slow to follow NIST.

I meant security questions, recovery codes/backup codes etc. And that is slightly different than “password + TOTP not in the same location” I think:

1. password + TOTP not in the same location → goal: security (multiple factors…)
2. (A) passwords etc. and (B) security questions/recovery codes etc. not in the same location → goal: account recovery → so if i lost A, I would need B… but if I store B besides A, then account recovery becomes impossible… therefore, this is not mainly a security quesion to store A and B in different locations, but for account recovery…

Here I didn’t say anything about 1., but I meant 2.

Maybe not eons (wasn’t it around 2017?!)… but I see your point.

KeepassXC’s new-found ability to import Bitwarden password-protected JSONs might result in a change to your methodology. Now, it is easy to keep a complete (well, periodically updated) copy of your vault accessible and visible in two different applications, meaning if BW blows up, you know you will have access to more than just your recovery codes.

Do know that there are currently a few known limitations. Bitwarden does not export attachments. KeepassXC does not yet import Bitwarden passkeys (it is in development), and if you have organizational vaults, complexity quickly grows.

That said, I really like the idea that one can now verify the contents of a password-protected backup. Pretty much eliminates the one benefit I saw to unencrypted.

This problem is solved by vault backups.

Security questions for purposes of recovering a “forgotten” password are not relevant to Bitwarden users (if they have an emergency sheet and redundant vault backups). However, it is possible that an account password stops working as a result of some problem on the account server, or as a result of password expiration (necessitating account recovery using security questions instead). Also common are online services that require answers to security questions in addition to input of the password (e.g., when you log in from a new device). For these use-cases, there is no benefit of keeping the security questions outside the Bitwarden vault.

In my opinion this is a huge security gap. For me personally my process when I’m forced by certain websites to create a security questions is to do as follows:

1- I choose a security question if given a choice
2- I used bit more than to generate a word-based password
3- I remove all the hyphenations
4- I pasted into the notes in bidwarden

I do this repeatedly for each security question required by the website. Usually sometimes between 3 and 5 times. This is very time-consuming. However choosing a bypass such as my last street name and putting in the real name seems like a huge security concern.

I feel a password manager should have some features to help with those. I would much rather my answer to “what street did you grow up on” be autogenerated as “goat toothpaste apple cheese” then the actual truth which could easily be figured out with public data.

Feature Description

Enhance the Bitwarden browser extension and client applications to automatically detect and autofill Time-based One-Time Passwords (TOTP) and answers to security questions on websites and applications.

Use Cases / Benefits

• TOTP Auto-Fill: Streamlines the two-factor authentication process by automatically inputting TOTP codes, especially on websites that restrict copy-pasting into TOTP fields.

• Security Questions Auto-Fill: Simplifies the login process on platforms that use security questions as an additional authentication layer, particularly on sites that prevent copying and pasting into these fields.

Implementation Details

1. TOTP Auto-Fill

   • Detection Mechanism: Implement a method to identify TOTP input fields on web pages following a successful username and password submission.

   • Auto-Fill Process: Once a TOTP field is detected, Bitwarden should automatically input the appropriate TOTP code without requiring manual user intervention.

   • User Control: Introduce a toggle option in the settings menu, allowing users to enable or disable the TOTP auto-fill feature according to their preference.

2. Security Questions Auto-Fill

   • Custom Fields Utilization: Leverage Bitwarden’s existing custom fields feature to store security question answers. Users can define custom fields corresponding to specific security questions for each login item.

   • Auto-Fill Capability: When a security question is presented, Bitwarden should match the question to the stored custom field and autofill the answer.

   • User Interaction: Display a prompt or popup when a security question is detected, allowing users to confirm the autofill action and select the appropriate answer if multiple are available.

   • User Control: Provide a setting option to enable or disable the security questions auto-fill feature, giving users control over this functionality.

By implementing these enhancements, Bitwarden can provide a more seamless and user-friendly experience, particularly in scenarios where traditional copy-paste methods are restricted.

@nsbbw Welcome to the forum!

Please note that feature request threads should focus on a single proposal, to avoid confusion in the voting and discussion. I merged your post into an existing feature request thread on the topic of Security Questions.

FYI, TOTP autofilling already exists in Bitwarden, although it only works on some websites (because Bitwarden only has a list of 18 keywords used for recognizing TOTP input fields); there is a separate feature request that proposes making available linked custom fields to improve TOTP autofill functionality.