I have Bitwarden Premium, and I use it to store my TOTPs. Now, my wife also has a Bitwarden account, but hers is free. If I share a login that includes a TOTP in my account, with her account, will she not be able to see/use the TOTP? How does that work, exactly? Is her BW account not able to save 2FA secrets but can still view TOTPs from shared ones?
I asked this question while at the office. Since no one answered it, I tried it myself at home.
I added my google account to the Organization I share with my wife. The result is, since she doesn’t have Premium, the TOTP shows up for me but not for her.
…My test completed, I tried to unshare it. But I realized that I couldn’t. I had to manually duplicate the same credentials in my own vault and delete the one in the organization to stop it being shared.
1 Like
Thank you for running that test, finding out how it works, and then choosing to share what you learned with all of us!
I have no idea if that is how it is supposed to work, but it’s good to know that is how it currently does work.
And yes, you got foiled by Bitwarden’s lack of an “unshare” feature. I really hope they implement that functionality sometime soon! It’s probably the #1 thing I would like to see improved in Bitwarden.
After posting, I was just thinking… does what you discovered mean that all TOTP functionality is unavailable to free users even though the TOTP UI elements are present for free users?
In a word: Yes.
The 2FA secret is there, but BW doesn’t generate a TOTP with it. Being a Free User doesn’t prevent you from editing the “Authenticator Key” entries in your database, but if you’re not Premium it won’t do anything with them.
Interestingly, if an entry is shared (ie. in an organization), the button there says “Upgrade.” If it is not shared, it says “Premium.” When I clicked the “Upgrade” button on a shared item from my wife’s account, it says this:
But the “Upgrade” button is not there at all (and TOTPs do generate) if that same entry in the organization is accessed from my account. It would appear that even though Bitwarden complains about the organization not being free, what it really means is that the current user in that organization is not Premium. Because if you look at Bitwarden’s Pricing page for organizations, it says a paid one “Includes Premium features for all users.” So that message about the organization being a free one is misleading.
Thank you for the update. I agree with your conclusions.