With the new 2FA requirement coming out, I believe users with no access to their phone and the inability to plug in any USB devices (including Yubikey) have to resort to janky solutions. I’ve settled on creating a separate email account with no 2FA attached to it simply to receive the 2FA codes, but this does not feel correct.
If possible, can Bitwarden sell/recommend/support a hardware token that operates similar to a RSA SecurID token or the old Battle.Net authenticators (the ones that printed out a 6-8 digit number)? This would allow users like me to enable 2FA on our accounts in a more secure, natural way.
There are a few out there. Search for “totp physical key”.
The complication you will run into is the necessity for accurate timekeeping. Freestanding clocks that run off battery tend to drift over time, which causes TOTP to start misbehaving.
This is not a big issue with phones or PCs as they routinely sync their time.
It was also not a big issue with RSA SecurID because the server was programmed to track the drift in your token by noting if you continually were using the previous or next tokencode and then adjusting the window for your token (not everyone’s) to recenter on your individual drift. TOTP does not have this adaptive capability.
I’ve heard of the time drift, but I’m ok getting replacements after a while. That said, looking at the Two-Step Login page on bitwarden.com, where would you add a totp physical key? I only see the following:
You would use Authenticator App. … It is still TOTP; your “app” is just embedded in a dedicated piece of hardware.
The “drift” issue is not likely to be a “replace device” event; it is much more likely that it will have some mechanism to set the time. The bigger concern is loss-of-access until you do so. The defense against loss-of-access is an emergency kit and/or regular backups.
One other thing to know. You can install the TOTP secret into multiple apps simultaneously, so if you forget your phone, login with the one on your PC until you get your phone back (or rebuild it). Some TOTP apps (ente, 2fas) even sync for you.
