Requesting for added security for those who are using TOTP for 2FA, make the user logon again if TOTP code is incorrect even on first attempt. AWS is doing it and I think this makes it more secure together with the KDF settings. This keeps the chance of getting the TOTP correct always at one to a million. A security boost to those whose master passwords are compromised or not as secure.
@loving_bw Welcome to the forum!
Could you elaborate on that? - Because if you use the wrong TOTP code for the login to Bitwarden, then you are not logged in - so I’m not sure what “login again” should even mean here?
Given that TOTP changes every 30 seconds, a simple rate limit (even as short as one attempt per second) may largely address your concern. I do not currently know if two-step-login has rate limits.
Sorry for the confusion. Make them enter the email address and password again, send them to login screen. The inconvenience I think is acceptable to the real account holder but frustrating to someone trying to hack the account (even if he already has the master password). Thanks @Nail1684
@loving_bw Thanks for clearing that up!
I’m not sure if it would be the other way round. 
1 Like
Short notice:
- I’m not sure if there’s a similar Feature Request (FR) already?! (had no time for a thorough search, yet…)
- but anyway, I changed the title for now and made it more into a general request, including the other 2FA-methods (before, the title was: “Bitwarden TOTP Implementation”)
- … but/and… I also didn’t test now the behaviour of every one of the five 2FA options for Bitwarden…
