- Allow TOTP generation for free for a Login entry with the URL bitwarden.com
- In the interest of security, allow free accounts to use TOTP generation for bitwarden.com.
Int the interest of security there are numerous free alternatives. You pay Bitwarden for the CONVENIENCE of having it in one place with your passwords.
Btw, others even believe it is in the interest of security to NOT store TOTP tokens with passwords.
I happen to be one of those that prefer separate storage locations for my TOTP as well. When I am logging into a TOTP site I bring up Authy on my Android and use that along with my BW vault. No person could honestly believe two separate devices is not a more secure way to handle such an issue. Convenience has to have a stopping point, so I’ll stick with BW on my laptop and TOTP on my Authy devices.
It is easier to cheat as well. Create many entries with bitwarden.com as URL. So we have to support the developers right for providing a free and open source password manager. So pay $10 and use for all entries.
I use Authy for 2FA but I store my backup codes in Bitwarden which defeats the purpose of using Authy. I don’t know where else to store my backup codes.
The most obvious way to safely and securely store backup codes would be in a second, separate password manager. Be it a second bitwarden account, a LastPass account or a KeePass database.
Since you would only rarely need the backup codes, the (offline) KeePass database would do.
That assumes that both devices are equally secure, so it is debateable. There are circumstances where it is arguable that it is more secure to have such things on a device which is thoroughly secured. A computer were a security key is needed to boot it would be an example, assuming that it was also suitably protected against online attacks.
I have my doubts about the security of phone contraptions, whether they use an operating system from Apple or Google.
That is the case and it is for each person to decide the balance of risks for themselves.