Search all logins with 2FA/MFA

Hi everyone,

I have a large number of logins and I would love to search/filter and find only those which have 2FAs (i.e. Authenticator Key (TOTP) filled in). I was searching the documentation and I couldn’t find any advanced search for this, but I might be missing it.

Is there a way to filter those logins? If yes, how? If not, should I move this to Feature Request?

The use case here is do a small audit, and perhaps consider a “backup” using another authenticator tool (e.g. Google’s) for a few of the most important ones.


I don’t believe there is a way to directly filter. There is a post about using the Notes field to manually add a “TOTP” note so that you can search

Also, you can see a list of all Verification Codes in the Bitwarden phone apps.

Finally, there is a Custom Item Labels Feature coming soon according to the Roadmap. You could use this feature to manually add a “TOTP” label that I assume would be searchable.

Are any of the above sufficient for your needs? If not, then I guess you should add a Feature Request.

Looking at the source code , it doesn’t seem that there are any undocumented advanced search fields (other the fields_joined and attachments_joined, which seem to be of limited value).

You may be able to use some CLI based method to accomplish what you want, by adapting some the examples given in the thread below:

Thanks, @RogerDodger. The app “Verification Codes” section was quite handy indeed. This solved my use case, although I still see the room to do something similar on web maybe. Perhaps we just need that view too.

The label and notes method I don’t think it’s reliable as it’d only be as good as you keep it up to date, so it might be not be accurate. It also would take significant time to set up (going one by one to all logins and adding it after checking if there is TOTP).

Thanks, @grb. Thanks for sharing.

Looking at the code and the documentation, I can see that there’s a fields section:

  • fields: Name or value. Only Text type field values are included.
builder.field("fields", { extractor: (c: CipherView) => this.fieldExtractor(c, false) });

I wonder if that’d allow to get the TOTP field. A priori, lines 309-312 makes me think not, but that’s partly why I was asking.

The cli command might be possible too, but I am still not even sure what’s the name of the TOTP field to do either of these two methods. Do you know?

Looking at the UI code, I wonder if it’s [Login.Totp] or [loginTotp] but I am unsure. I’ve tried a few searches variants of login.totp:* with no results.

fields is a reference to so-called custom fields. This is not how the TOTP authentication key is stored.


The CLI approach converts a JSON structure into a PowerShell object, which can then be filtered, sorted, etc. In the JSON structure, the TOTP seed is stored in a field named totp, which is part of a substructure with the field name login. Thus, I would try to use something like on the following expression:

(.\bw list items | ConvertFrom-Json) | Where-Object { $_.type -eq 1 } | Select-Object -ExpandProperty login -Property name | Where-Object { $null -ne $_.totp } |  | Select-Object -Property name,totp

Came here to post almost exactly this only I’m doing it from Linux/bash (which, incidentally, is an option for folks running into PowerShell issues - if one is willing to install Microsoft WSL2):

bw list items | jq '.[] | select(.login.totp != null)'

Not so accessible for non-CLI users, but the CLI does tend to lend itself to lots of advanced sorting and reporting functionality.

@jtr Thanks for posting this variation. These types of filtering/sorting tasks do become much easier to do if one has the jq utility available, as demonstrated by the conciseness of the expression you posted.

Incidentally, jq is available as an executable for Windows, so it wouldn’t be necessary to install a full Linux environment such as WSL2.