In the past I had my TOTP tokens in a different app from the passwords I managed in my password manager. So in any case someone obtains my password database, without having the TOTP to my most important accounts, no access is possible.
Now with Bitwarden you can (but don’t have to) store both together in one app - super convenient, but at the same time, if someone get’s access to my Bitwarden, they do have it all.
I’m wondering if there is a way to improve Bitwarden to make storing TOTP more save but keeps the convenience. Like an additional verification process to enable access to TOTP on certain devices.
You’re absolutely right to be thinking critically about this. Combining passwords and TOTP (Time-based One-Time Password) tokens in one vault like Bitwarden does increase convenience, but it also introduces a single point of failure—if someone compromises your Bitwarden vault (e.g. via your master password or device session), they potentially get everything.
There are more factors that make this more complicated than the general trade-off, “better security” vs “more convenient”.
convince makes it easier to entice the user to enable TOTP on all sites that support it, instead of just those they deem “important”.
two vaults introduces a second point of failure, either of which if corrupted will cause loss of access to your credentials (Backup both).
two vaults does not help protect password-only accounts (although pepper will).
It likely will never be possible to bifurcate a passkey between two vaults.
The OP’s suggestion, Make TOTP more secure, can substantially be accomplished with Master Password Reprompt, although I somewhat consider that security theater.
My take is that one needs to strengthen their vault until they are no longer concerned about this vulnerability. That may mean a longer master password, enabling MFA on the vault, strengthening encryption settings and generally keeping the vault locked (with biometrics to reduce unlock friction).
It could also be accomplished without prompting for master password again (which most likely is compromised anyway, if someone had obtained access to the vault already).
I‘d rather suggest making TOTP only accessible from „Trusted Devices“ and adding additional verification steps to mark a device as trusted. This step could be a email verification link or another already trusted device.
This way TOTP stays secure as long as the email account or a trusted device has not been compromised too, which is a significant additional hurdle.
You are absolutely right, storing them both inside same vault without extra protection is a serious security issue and should be avoided at all cost. I also made a thread Additional encryption for items protected by Master Password Reprompt about adding an additional encryption for items protected by Master Password prompt, this could mitigate, altought not remove, the problem of unprotected TOTP seeds store in Bitwarden…IF and only IF both additional password AND additional encryption based on that password is used to protect the TOTP. Otherwise it wont work…as the current “Master password prompt” currently is absolutely useless to really protect anything from anything, since its a software only solution right now.
Going to my in laws house. I trust that computer but only for the hour that I’m there when I’m just using it, but it’s not a computer id want to permanently trust.