Level of protection from a 2FA device in BW?

I think if a user has the correct email and master password, then they have enough information to be able to decrypt their vault.
I know that if a user loses their 2FA device and does not have a 2FA recovery code then the BW team will not recover that account.

Is there any technical reason why an account (user has correct email/master password but lost 2FA device) can not be recovered?

1 Like

It’s for your own protection. The whole idea of 2FA is to prevent people who somehow manage to steal your email + master password from logging in. If Bitwarden allowed to bypass that, it would render the entire second factor useless. So just be glad it can’t be recovered that way.

If you are thinking of the LastPass breach, then in that case yes, 2FA has become useless because the thieves liften the entire database from the server and they have unlimited access to it now. So they can take their time trying to find out what the master password is at their leisure, and once found, then the vault will indeed be decrypted.

Thanks for the reply.

I don’t mean to be critical but in order to properly protect myself I need to understand the facts. I can see what 2FA does do but equally I want to understand what it doesn’t do.

I think your confirming that it is entirely possible to recover an account without the 2FA device.
The sole mechanism to prevent such a recovery is the bitwarden policy of not doing so.

1 Like

Bitwarden stores all the vaults on their servers. Those vaults are encrypted through your master password, and can’t be unlocked except with that particular password. Even Bitwarden is not able to access your data, because they don’t have access to your password (and thus, they can’t decrypt anything). If your master password is strong enough, even the most powerful computer would take centuries to break the password, so you would be safe anyway. Think of it as a lock to the safe inside your house. Only the ones that have the combination can get into the safe.

The 2FA is just an added security (and I would 100% recommend enabling it). It means that EVEN if your master password gets into the wrong hands for whatever reason, anyone trying to access your vault from OUTSIDE Bitwarden’s server park, they STILL can’t access your data because it would require an additional code to get in. Think of it as the front door of your house. Only the ones that ring the doorbell and are verified by you to access can get into your house and proceed to the safe.

So your valuables are protected twice: once by you to verify if the visitor is welcome so that can they are allowed enter the house, and even then they can only access the safe if they have the correct combination. Think of Bitwarden as the security guard who you have trusted to be inside your house so can guard your belongings, but who doesn’t have the combination to the safe because that is something only YOU know.

Again in the case of LastPass, criminals managed to lift the safe from the house, thus bypassing the first line of defense. So in their case, now the criminals have access to the safe itself and only the strength of the combination on the safe will keep them out.

Does that clarify things?

1 Like

This is a good analogy to describe the difference between 2FA and a master password and then Bitwarden’s role.

1 Like

I can get the point that it’s line of defence should somebody compromise your master password but I struggle to really work out (assuming you use a unique a strong password) what the circumstances are of somebody being able to do that?

Very often the ‘for any reason’ is touted but what, practically, are the reasons/methods by which it could happen?

That wasn’t a facetious comment; just seems to me that most plausible method for a master password to be compromised is through a phishing attack, which would render TOTP useless because they could be subject to the same phishing attack and compromised at the same time as the master password.

Therefore the only 2F that seems to be valuable in that context is a hardware key using U2F, not Yubikey’s TOTP, which would itself hopefully prevent the phishing attack being successful in the first place.

Having TOTP 2F on other logins to sites within your vault makes sense, as that would defend against your vault being compromised LostPass style, giving time to go changing all passwords in the event of an incident, but not if you’ve stored the codes for those in the same vault as the passwords.

This is just some non tech savvy observations anyway, along the theme of the question of what is or isn’t achieved by 2F, not sure if meritorious or not.

Just found this discussion while searching the forum on the subject.

1 Like

Other than phishing (which you mentioned) and credential stuffing (which you ruled out):

  • Shoulder surfing
  • Key logging
  • Social engineering
  • Improperly secured record of the master password (e.g., written on Post-It note; stored in vault left unlocked, etc.)
  • Inadvertent disclosure (e.g., typing into wrong window when another app steals focus)
  • Attacks on device memory (e.g., Heartbleed) or on traces of memory contents left behind on SSD drives via swap files, hibernation files, or dump files)
  • 5-dollar wrench attack
1 Like

Thanks so much for this, it’s helpful.

Guess the accompanying list is how does 2F mitigate these risks?

In some circumstances certain 2F solutions are going to be compromised the same way as the master password.

I mean the $5 wrench approach seems pretty robust against most defences!

I’ve been struggling with the 2F loop of fail recovery, is the main reason for thinking about this - you use 2F because passwords are unsafe on their own then backup your 2F with a… err… password which is unsafe. So do you need to 2F your 2F backup solution? What if you lose your 2F backup 2F?

In most cases I’ve used an Authenticator generating TOTP that is not backed up in any way, as a 2F solution.

If/when that gets lost, it is possible to recover those accounts it secures via customer service. It’s difficult and a right pain in the rear, but possible, and I figure if it’s difficult for me it’s difficult for a hacker to do it too. But the key thing is it’s possible.

With the BitWarden account however, there’s no recovery if you lose you 2F.

Yeah you can have the paper back up codes, but most would agree that is not totally convenient - you’ve got to store them somewhere and then might not need them for years (you could move house etc) then need them.

You can back up your vault locally; which is work, a risk itself (having copies of the vault data has to be a risk?) and you’d have to back up the back up because a usb thumb drive is hardly archival quality.

So in the end, I’m wrestling with the idea of is the bigger risk locking myself out of my account via 2F loss or somebody gaining access to my vault due to not implementing 2F?

Of the two factor solutions, U2F seems to have real benefits over TOTP, but are those benefits enough to make it worth the risk to me to get locked out or overcome the work required to back that up?

Appreciate this is a “only you can decide what works for you” situation, but it’s definitely helpful to ask wiser people than myself questions about it all to understand the risks both ways.

I mean I can’t be the only person puzzling with this one?

Check out Raivo OTP authenticator. Open source and it has some cool integrated features between an iPhone/iPad and a Mac (tap on phone > paste on computer). You can export an encrypted file of all your keys AND you can back those keys up to iCloud, as well.

I’d highly caution you to have this kind of mindset. Just go on the mobile App Store and look at all the negative reviews for google Authenticator. Most of them are people complaining that they are permanently locked out of their accounts and some customer service reps/companies cannot do anything about it. Yes some maybe able to reset the 2fa process and allow you in, but most don’t have that ability. And just think if you user credentials were stolen by a hacker they essentially could call the company themselves, pretend it’s you say they’re lost the 2fa can you please reset it; thus letting the hacker in this defeats 2fa in my opinion which in theory is only supposed to be something you have. A password is something you know. Always have a recovery code kept safe. The reason the recovery codes are different than password, thus way more secure than a password is because you’re never entering it in until you absolutely have to. And when that is the case you’ll most likely be changing the password and resetting up 2fa in which in addition to you can regenerate the backup code(s). Lastly these backup codes are generally a one time use and that’s it. How would a hacker gain or access your recovery code, unless they have physical access to the site/space you store them in, it is much less likely than a password. A password you’ll use everyday sometimes more than once a day. You’ll be entering that in different places, phishing attack is one way they can get this password easily stolen but then they still need something you have (2fa) to enter. The otp codes will cycle change every 30 seconds; whereas your password doesn’t.

Do yourself a favor and prevent disaster, make sure you setup some sort of backup recovery code or some other method; DO NOTT!! rely or think that you can call customer service to have them reset it. This is alarmist 99.4% chance that most won’t even have the capability of doing this.

1 Like

Thanks some fair points, and to a degree getting locked out of accounts seems the most likely scenario by going over secure in general but incidentally those negative reviews you mention are positives in my view.

What they show is that Authenticator has a lack of convenience to it, which in itself is an indicator of security.

Conversely, when you get reviews that say I got locked out but it was really easy to restore access, it’s kind of a red flag - easy for you could be easy for somebody else.

The accounts I was talking about securing in that manner (authenticator) were not financially sensitive or life and death stuff if they got lost.

When it comes to things like Google, Facebook (which I don’t use) I really I do believe if somebody was determined enough they could convince customer services to let them in anyway as in the end you’re relying on people (yes they need enough data on you but that’s the point you raised as to assume they have).

In the end it’s just levels of hindrance you’re adding, not absolute security.

There do not seem to be many situations were losing 2F means you’re totally locked out, is what I’m saying, in most cases there is some work around and as you point out, those are fallible.

Another thing I would point out is that TOTP or OTP are actually not secure against phishing attacks and likely to be compromised at the same time as a password; perhaps something to consider (this is one reason to go for U2F).

The OTP do not check what you’re logging into; the codes always work.

This in a way, was partly my question; when is and when isn’t a OTP 2F offering meaningful additional security.

The issue with the back up, I guess unless offline, is securing the back up (of 2F codes), as I mentioned, compromising your 2F security anyway; e.g. you can have some services like Authy allow recovery via pin sent by email or SMS?

Storing offline backups needs discipline to do regularly, and store safely (3 copies, two different types of media, one off site), all of which need regularly updating when things change.

I wonder how many people who mention offline backup actually do it in a proper manner.

Storing TOTP codes in their vault with credentials just doesn’t seem a good idea for example.

Anyway, the Authenticator option I have been using is something I will move from, in part because of points you raise.

Will have a look at Raivo OTP, thanks, but I am likely to go U2F in the end.

Thanks for so the thoughts, I believe I’m at the point of over thinking the whole thing really.

Absolutely agree, this is really all about secured accounts here and functioned as intended.

Again depends if companies like Google, Facebook even have the capabilities of resetting the 2fa. I personally don’t know, but doubt they can nor would chance it. If if they allowed it today, tomorrow they could tighten or discontinue that practice; always have a backup/recovery code yourself. In todays digital world, some have their entire life worth of information stored within these companies’ systems.

Agree. Always know how to get to your services, whether it’s thru typing the actual url or having a bookmark. Don’t use a link in an email which could be a spoofed phishing attempt. This would just minimize the chances of that happening.

For me TOTP or OTP 2f offer me additional security, from not having 2f at all, in that it minimizes anyone trying to brute force my password. Sure if they can make it past my login credentials they would then need my 2fa code. I’m sure, they can brute force the 2fa but effectively what I’ve done was slow the process down as much as I could. Additionally most accounts will have alerts of suspicious login activity or in the even they got past the password and then was met with the 2fa code entry and didn’t enter it in after certain amount of time, a notification would be sent. Allowing me some time to go in and change the password even resetting the 2fa to rotate the process.

I agree with this, as nice as it looks and is convenient to have it in all once place, I don’t like the all eggs in one basket approach here. My main concern is also more of if I ever loose access to my vault I loose access to the 2fa. Yes I do have recovery, but at least if I loose access to my vault I can still remember my passwords even though they’re unique to each account. If the 2fa was tied to the vault I’d be effectively locked out until I could get to the recovery code location.

Just make sure when you’re starting off to go slow and learn and think of all the possible ways things will go sideways, and when/if that happens what can you do/what options do you have to get back into your accounts. Once I found my way I went all in with 2fa authenticator’s and every once in a while will audit my accounts to see who else has added 2fa capability to their services. For the past few years I too have had my eye on u2f such as yubikey. Totally love it, I think it is way more secure than 2fa, stories of all of Google employee switched over to this, however the one thing I can’t get past is having to carry the hardware around with you. Some may carry their keys everywhere they go and can put it on a keychain. But for me there are times where I wouldn’t have that on me. You’re home and are out down the block because your kid wants to go to the park I wouldn’t bring those with me. If there was something I had to login quickly for it would prevent me from doing so because I didn’t have it on me. I’m todays day of smart home devices, I only have my keys with me when i need to drive the car. So there’s a bit of a gap I’m still trying to figure out how I can fill. I think this new passkey solution may help that, where the device can just use biometrics to authenticate but it’s going to take a while for widespread support. I did recently do some testing with passkeys for logging into the BW vault and it worked great on the iOS app since the passkey was linked with the phone, but horrible on a desktop computer in the browser extension; the same pop up would ask for a usb insert which I don’t have. This area a yubikey may work because the browser extension is usually used at work or home computer thus having access to the yubikey though. I just need more passkey support, and even then I need to make sure if my iOS device ever goes down how else can I get in and minimize my risk of a total lock out.

1 Like

Yeah a lot of the closing thoughts there are issues I’m trying to resolve too, partly by asking a lot of questions around it.

To summarise the fundamental; adding security measures create both inconvenience and risk to you (of account lock out), in order to create any additional security (all off which you’re getting at).

What I’m trying to understand fully is when is that additional security real rather than perceived, such that the extra inconvenience/risk to me is equitable.

And there are asymmetries, such as if you set up 2F to access your BitWarden account, then you cannot access it without it, yet if somebody got hold of your vault data they could access it with only your master password and would have no need to use 2F (the LastPass situation).

You have to assume that at some point your vault data may be accessed by a third party and at that point the only safe thing to do is change every credential in it, regardless.

Can see there are scenarios in which 2F would offer additional security (if it’s the right solution used on the right way), but using the wrong solution in the wrong way gives only the illusion of additional security against a given risk, but 100% of the inconvenience and lock out risk.

Like the over the shoulder compromise for example, could be protected by 2F apps on your phone accessed via biometric.

If you used a cloud sync 2F application secured via password however, that password you enter could be compromised at the exact same time as the master password.

Regards 2F resets; most commercial enterprises that want to sell and continue to sell you anything will be able to restore access is my experience, even if it requires say, a lot of info to then physically mail you an access code.

Times this not the case is a rarity rather than commonality, is what I’ve found.

BitWarden and similar can’t/won’t (at least for personal users?) but there’s not many others I can think of really.

But I may be wrong on that.

We all have different views on things depending on the services we trust and what we trust those services with really, I’m just trying to get to a point where I’m informed enough to make decisions.

Saying all this, I’ll end up with 2F on everything regardless, just in case, so probably just pointless waffle.

This is the reason I self host my instance. I don’t trust the cloud because big names will be bigger targets.

I’ve also spent the last hr looking at yubikey again lol. I filled out their partner form and someone will reach out; I’m going to explore it. I’m always in tune to try and tighten things a bit more, and I’ve been at my level for a while. If yubikey allows TOTP codes, and if I can get that thru their software app as well as the hardware keys I’d be much more inclined to dump services such as Authy. I wish I could just use my phone as “the” yubikey tho thru some sort of software integration with their app to login to sites. That will get me past the I don’t want to carry another device around with me.

I read this site and the comments for that article are in line with why I haven’t gone yubikey yet. But maybe things have evolved since then.

On self hosting, some thoughts I’ve had on that are that while BitWarden may be a bigger target there is the benefit that your vault is one of many that may be taken in any successful hacking attempt.

Despite the noise surrounding the last LastPass breach, there seems to be limited discussion outside of tech circles really; I’m not seeing loads of users complaining online that they have suffered loss, class action lawsuits flying for data loss etc and the talk seems to be about the potential not the realised (unless I’ve missed something, I’ll admit I’ve not researched that extensively but might start).

Have some accounts been compromised? Seems probable. Have more been compromised than would have ordinarily been compromised over the same period due to malpractice on behalf of the user (e.g. poor passwords reused etc)? Who knows.

Maybe they (the hackers) were content in the first phase to just sell off the unencrypted user data and URLs and didn’t want to waste time forcing passwords or perhaps other data from the wider GoTo group was more attractive to attempt to make use of than vault data, a least initially.

It seems like a useful test case for what happens when the excrement goes through the desk fan anyway.

Whatever the case maybe, seems logical that one vault in thousands, hundreds of thousands or millions would be safer than one on its own (safety in numbers so to speak).

If I was self hosting I might think about making many spoofs in addition to the useful vault just for that reason (maybe that’s part of the set up anyway, I’ve no idea - that’s part of my reticence; not having the expertise).

Then there’s the fact that BitWarden employ specialists, third parties, bounty programmes etc to secure the data they store.

Is your self hosted vault doing similar? Probably not I would assume. It’s doubtful that you employ or could afford to employ similar levels of 24/7 expertise to secure your own hosting solution.

There’s a thought that whilst a bigger target, BitWarden’s cloud would be a harder nut to crack then somebody’s home server solution, so a strategy could be to go for the many small guys that are easier targets then go for the big one, as it might be statistically more successful overall (many small successes could be more valuable than many failed attempts at a bigger target).

There’s real world examples of that sort of strategy being successfully employed, so it doesn’t necessarily follow that because a target is bigger with a bigger potential payoff, it becomes the preferred target.

If you have some technical edge, like you work in the tech security sector, sure it is likely to be more secure or could be, but that’s not my situation.

Also if you do need remote access my guess would be that you’re still only making it incrementally more secure, not eliminating the risk of somebody getting your vault file. As such it would still seem prudent to assume the worst can and will happen at some point.

Just all seems far from a ‘slam dunk’ to better security to self host.

Ultimately though what could it achieve assuming it is all possible and leads to an undisputedly more secure vault storage solution?

I think what I would be doing, is self hosting a vault (because I do not trust the cloud service provider to do it for me), and in that vault would be the login credentials to online cloud services that I use and want to protect access to, even though they are the very same cloud services I’m saying I do not trust.

Does that sound like a rational thing to do?

Splitting hairs about the type of data you do and do not trust to be cloud stored seems slightly pedantic to me; you can acknowledge your own contradiction in using the Authy cloud sync solution (unless you’ve got that self hosted?)?

It’s about this point I decided against the idea of self hosting in a cost benefit/risk benefit consideration, but I’m happy to be convinced otherwise.

In that review and comments, have read that previously but re-read just, as you raised it.

Which element concerns you?

Compatibility seems to be OK on the face of it, guess there’s going to be snags in real world usage that are only going to be revealed when trying it, but seems that the whole thing is maturing.

A lot of time I take comments with things like Android device support with a pinch due to the varied nature of such devices.

Carrying an additional item doesn’t seem a big deal. Keys/wallet/phone is the de facto standard carry, so if you can have one in your wallet or on a key ring with your house keys etc, it’s not an additional thing to remember?

Seems like an awful lot of anecdotal evidence of people carrying these with keys and no specific care, without running in to problems - had it on my key chain but they broke every five minutes isn’t a complaint I’m coming across and in this world people are normally quick to condemn such things especially when that method of carry is touted by the device vendor (carry it on my keys they said…).

Probably I’m reading with a lot of confirmation bias at this point because I think secretly I just want to buy a hardware key, so would be interested in what caught your attention there?

Have you looked at GoTrustID Idem Keys?

No TOTP via app, as far as I can tell, but they are NFC.

The benefit of those is cost; you could get 5 for the cost of two Yubikey 5 NFC’s, so one with workstation, one with keys, one backup, one offsite backup, and a hot spare for when a child chews or otherwise destroys a key, or flushes one down the toilet (which is going to happen and will be an ‘accident’).

Five is currently the maximum supported by BitWarden too I believe.

Yubikey seems better overall, and potentially has higher company ethics, just can’t ignore the cost difference entirely.

IDEM key is made in Taiwan vs USA or Sweden for Yubikey, is my understanding, if that matters to you.

I’m most likely going to bite the bullet and test drive the IDEM key at this point ($20 to see if it’s a solution that might work doesn’t seem to be the end of the world).

Idk to me my vault in the cloud would still be in the hands of another, where they have unlimited amount of time to do or try whatever they want; this is effectively what happened with LastPass. When you have 300+ vault items, thats pretty unsettling for me.

True but the weakest link is always the employee who manages those systems, who fail victim to phishing attacks; again we saw how that happened with LastPass. Most security breaches are of similar nature.

I’d be more conscious about what links I’m clicking on here and would be less likely to fall for a phishing attack since I deal with my vault a few times a day. If I saw an email about my vault I’d be a little suspect especially if I’m not working on it. Vs the employee who that’s all they do is work with this platform, and deals with emails all day around the clock; it’s just more prone to phishing attacks. Hopefully bitwarden, if not already, implements what companies like google and twitter did; every employee now utilizes a yubikey. This effectively brought their protection up to 99.9% for phishing attempts. This implementation would have more than likely prevented the lastpass breach as well (on face value of what we know).

Maybe not a true slam dunk but had I self hosted with lastpass (if that was available), I would have been unaffected because the vault data is with me. Now I have my Lp vault potential ally somewhere in the wild. I had stopped using LP like 2 years ago and switched to BW, I just left the account dormant while trying bitwarden and navigating the waters. I’m now kicking myself in the *** for not deleting that account.

At least it’s not the keys to the kingdom, which essentially a pw vault is. Considering I also implement a unique password for each service, no matter what it is, if a cloud provider got hacked at least the credentials are compromised just for that service platform and minimizes how far that “disease” can spread. If you get the vault you have essentially the “world pandemic” in one shot.

I just don’t trust to store my data with cloud providers if I can help it. I have a synology nas, I keep my docs photos videos etc there, not iCloud. I have vault data I choose to self host that cause I can. I do use cloud service for contacts and calendar data, in which I could care less about being in the cloud; yet it brings ease, convenience that I know it’s always there…loose a phone log back in to the account and it’s there.

By all means it’s not an all in one way mentality.

True, not self hosted, I know the implications but this is the balance I chose for convenience and assurance that if I loose my one device I don’t loose all of my 2fa accounts (upward of 50+). I also turn off multi device once I’ve added my devices to it. This prevents any new device from being added to the Authy sync. If I see in the news one day that Authy was hacked, it’s very easy for me to terminate the active 2fa accounts and reestablish a new 2fa chain, possibly then being on a different platform. Again if someone got all my 2fa codes you’d need to know each services’ unique password and if you guess one well then one account got away from me and not the whole shabam. The more difficult you make it you hope that they just move on to the next easiest victim.

In the end some sort of 2fa is better than none. Those new to the game who have no clue about the basics get caught up with a google Authenticator where they lost access to all of their accounts, guess what they’re the ones writing the negative reviews. And I can guarantee about more than 3/4 of those people will be so traumatized they’ll never turn 2fa on again. So whose more secure there.

Until your chilling on the couch or bed and now need to get up to go into another room to get that additional item just to log in. I don’t choose remember my device when logging in on my devices, therefore this would be a pain of convenience for me. I’m looking forward to passkeys where the phone plus biometrics and provide the authentication. For me a phone is something I always will have with me.

Me personally I’d go for yubikey, buying off the brand name. You also see all (most?!?) of the major corporations going with it for all their employees (google as one example). They’re probably part or involved with the FIDO alliance. More money/revenue with the company, you’d hope it leads to further initiatives and RD to make things better. But again as long as it’s not some knock off no named brand and if the major corps stamp their name with it, it’s probably good to go with.

There’s a counter-argument that can be made, in that there’s safety in numbers. If Bitwarden’s database of (say) 10 million user vaults is stolen, what are the odds that an attacker will target your vault in particular for a brute-force attack? Conversely, if the an attacker tries to crack all vaults simultaneously (by testing each password guess on every vault), then their effective guessing rate is slowed down by a factor of 107 (which is similar to the effect of multiplying your KDF iteration number by 107).

Furthermore, if an attacker does infiltrate your on-prem server, will you know?


There was one commenter who had some compatibility issues with OnePlus phones, but other than that I didn’t see anything in the comment section that should dissuade anybody from using Yubikeys.

Well the GoTrust IDEM is not a knock off product, it’s a legit option I believe, level 2 FIDO2 certified (is Yubikey?) used by some major corps etc. But yes would agree Yubikey is the main player.

Nobody has unlimited time to gain useful data from your vault, should they acquire it.

Assuming you change all the credentials in it, the data is time sensitive (I.e. only useful until you changed it making the data out of date).

Obviously the baffoonery of LastPass not encrypting everything does not help matters.

Your points in general are perfectly valid though and I can understand your reasoning for going self hosted based on those factors.

I’m on the synology NAS solution too, but if you want to offsite back up that data it’s more convenient to use an encrypted cloud service than anything else (other than a mirror to another NAS I guess).

Just on the general, are you using Pi-Hole for DNS?

Have used that for a long time (probably a decade) running with unbound. That is a good network wide protection measure, at least I think it has value anyway.

The stolen data is almost always sold on the black market. Sure maybe one attacker won’t get to it, but what if they sell portions of the 10 mill vaults off to hundreds or thousands of other hackers (or group of the afore).

Some of the comments that were in line to my thoughts were relating to having to carry around an additional device with you. I’m not completely opposed to yubikeys and I have always had my eyes on them. I just would rather use my iPhone the main source of authentication workflow. And probably have a yubikey as a backup in case the phone is ever lost damage stolen.

Again the starting assumption is that it’s only one person. Most of the breaches are sold off to many others. When your data is in the hands of pools of hackers the possibility increases.