The reference I tend to use (NIST-800-63B-3) states that complexity and forced changes weaken security because they result in poor choices (e.g. Password1!). The recommended mitigation is to eliminate complexity and maintain strength by increasing length. Nowhere does it postulate that MFA is a license to accept decreased password strength.
800-63B also states “Memorized Secret Verifiers … SHALL force a change if there is evidence of compromise of the authenticator” (§5.1.1.2). In this case, the evidence is that someone formerly authorized still knows the password.
Having the TOTP master key in the vault is violation of MFA. No matter what you do, the master key may leak from the client application.
I already described a solution here[1], the solution requires a change in mindset of all password management products of what the meaning of keys are. Interestingly this is exactly the service they try to provide while lack the understanding of the implications.
Having the TOTP in Bitwarden at all, let-alone with the secret key visible, reduces out-of-band 2-Factor Authentication to a shared-factor 2-Step Authentication.
Bitwarden have a lot of very smart people who understand this and its implications, and I suppose their thinking is that users exercise their own choice, on the basis that 2-Step is better than 1-Factor. I am not sure all regular users understand the implications.
Personally, I lean on the side of caution and keep my 2nd Factor out-of-band. I have been a target of a nasty multi-vector cyberattack in the past. Cybercriminals only have to be successful once in a persons lifetime, and they can wipe people out.
I really don’t get this - why on earth would key be visible to all users. For a company this makes no sense and completely invalidates the key. It’s for this reason alone that we can’t use bitwarden but I’m also just a bit concerned as to who on earth thought it was a good idea. Visibility alone isn’t enough - it shouldn’t be POSSIBLE for end users to get this data. If anyone, only admins.
I really don’t get this - why on earth would key be visible to all users. For a company this makes no sense and completely invalidates the key. It’s for this reason alone that we can’t use bitwarden but I’m also just a bit concerned as to who on earth thought it was a good idea. Visibility alone isn’t enough - it shouldn’t be POSSIBLE for end users to get this data. If anyone, only admins.
That is not this discussion. This is about hiding the key behind an “eyeball” when the vault item is in edit mode. Who can enter edit mode is a separate discussion that would only apply to enterprise vaults.
A visibility toggle may protect against shoulder surfers, but it would not protect against determined bad-actors because to use TOTP, your vault needs to have access to the secret key so it can calculate the current value. Even if you hide the secret from the user, it still needs to be there and would be accessible via debugging tools, etc.
Bottom line, TOTP is not a substitute for changing a password when someone ceases to be authorized to use it.
That’s fair - but having the key so blatantly accessible to end users doesn’t make sense from a security perspective. If you have a business and you provide passwords to your team with a TOTP - by showing them all the TOTP key it’s only reducing security without providing any value. I think my point is, I don’t see what value is obtained by having the TOTP key visible at all. During an export from an admin etc I can see the value (though I would argue against even that), but displaying it to end users just allows them to setup their own MFA tokens easily and removes the admin level of control.
In the vast majority of vaults, the “end user” and the “admin” are one and the same. Even an enterprise user will have a company vault and then a personal vault for their own banking information, etc. On this second vault, they are their own admin.
For these personal vaults, it prevents vendor lock-in (e.g. by Authy, Google Auth, Microsoft auth) by allowing (as you note) one to set up a competing authenticator product as a failsafe.
I personally will not use any product/feature that takes data that I own and puts it at risk of loss with no way for me to get it back. This is why I avoid attachments in Bitwarden… they are not included in backup/exports.
And again, it is the other conversation that is about restricting TOTP key access in an enterprise scenario. This conversation is about hiding it, which is more a personal vault discussion.