Multiple Two-factor authentication methods to secure vault?

Hi, I have a question about best practices for the two-factor authentication to access my Bitwarden vault. Currently, I’m using an Authenticator app (2FAS) which I enabled in the Bitwarden settings. Today I got Yubikey (Security Key Series) which I also enabled. Now I can choose between those two, which works great.

What is the recommendation or best practices? Is it harmless and still safe to leave both active? I thought it might be a good idea to leave only the Yubikey active, as this seems to be the safest option. On the other hand, I would then always have to have the Yubikey with me in case I want to log in to new devices for the first time.

If I have misunderstood something, please correct me.

For maximal phishing protection, you should use only FIDO2 keys as your two-factor authentication (2FA) method, as they are unphishable. Windows Hello can serve as a FIDO2 backup key, and some Android devices also support this feature.

I’ve noticed that those who strongly advocate for this approach often have multiple YubiKeys for backup, making it unlikely that they would need to resort to using a 2FA recovery code, disabling 2FA.

However, I personally am in agreement with @anon10321843 . I am more concerned about losing access than about being phished. I prefer not to turn off Bitwarden’s 2FA under most circumstances. I do not add new devices, block most ads (especially on my PC), and Bitwarden only sends me emails with links for email verification or account deletion. I will remain cautious and suspicious if my FIDO2 key and backup FIDO2 devices do not work.

P.S. For maximum token protection against malware, consider avoiding the “Remember me/Trust this device” option for important accounts.

1 Like

… and, I might add: as long as you just store the TOTP seed code (e.g. on your emergency sheet) after setting it up - and probably never use it - it practically can’t be phished. (also depending on where you store it and if that might get leaked / stolen / whatever…)

2 Likes