At the moment the master password alone decrypts every item in an unlocked vault. 2-step login (YubiKey, WebAuthn passkey, etc.) is enforced only when signing in to the server, not when accessing TOTP secrets or stored passkeys locally. If an attacker obtains the vault file and the master password—or if malware runs while the vault is open—every 2FA secret becomes single-factor.
Proposed solution
Add an optional “Secure 2FA items with an actual second factor” toggle:
- Bitwarden encrypts each TOTP seed or passkey blob with a key that is released only by a previously-registered second factor (e.g. the one used to log into the vault).
- When a code is generated or a passkey is used, the client must touch/insert that factor (or supply a one-time backup code) to unwrap the sub-key.
This keeps the current cloud-sync and autofill workflow; only the sensitive 2FA sub-vault needs the additional touch.
Why not just store TOTP/passkeys on a separate device?
- No juggling authenticator apps or re-enrolling YubiKeys on every site change. One vault continues to autofill passwords while still enforcing true 2FA for codes.
- Normal vault backups still work; to restore 2FA items you only need a backup hardware key or unlock code, not a full re-setup of all TOTPs