Security risks of using Bitwarden as authenticator and password manager

I’d appreciate the opinions and inputs of others with more expertise in security. My concern of using Bitwarden as both authenticator and password manager is that it seems to defeat the whole purpose of two-factor authentication.

If someone were to hack into my Bitwarden account, they’d basically have access to everything, including the one-time passwords. Having the password manager separated from the authenticator by device and account seems to be a much more secure approach. For this reason, I’m currently not using Bitwarden as authenticator, only password manager. However, in principle I think this should be disabled completely for every users’ security. Again, I’m totally open to others’ thoughts.

3 Likes

Well, the idea of 2FA is ‘something you have and something you know’. The password is the thing you know, and most often your device is the thing you have. In this case, your ‘bitwarden account’ is the thing you have.

If you’re going to put all your eggs in one basket, you must protect that basket. I would rate the hacking of my Bitwarden account to be catastrophic, 2FA included or not.

The benefits of having your 2FA key in Bitwarden are the copying to clipboard, ability to share it with others in your family group, etc.

I would rate keeping 2FA tokens in Bitwarden as more secure than the SMS or email-style 2FA, less secure than the local-storage-only OTP apps.

4 Likes

This might be a helpful reference article

In particular this section specifically addresses the discussion around bundling two-factor authentication within your password manager

As with many discussions in security, it comes down to a balancing what is right for you and there is no single right answer for all use cases. :wink:

3 Likes

Good points! It is definitely very convenient to copy the one-time codes right from my browser instead of having to open my phone and the authenticator each time

The blog post raises some great points, thanks for that! I especially liked this one:

Your Bitwarden Vault hopefully already has two-step login using some other method. (ie. do not use the Bitwarden Authenticator to protect your Bitwarden account.) Therefore it is currently protected with a high level of security and, in fact, two-step login.

Hello @hwsamuel,
I’ve thought about that long time ago and I came to conclusion that if you have 2FA on bitwarden you are just moving the 2FA from directly authenticating to authenticating on 2FA with bitwarden.

There is a higher probability of hacking any of your other accounts than bitwarden itself. Although you are theoretically increasing attack surface, as a hacker I would rather attack your direct account rather than bitwarden.

Hope this helps :slight_smile: ,

3 Likes

I would store the less sensitive OTP in Bitwarden (e.g., Amazon, random webshops) and use hardware security keys for the more sensitive stuff (e.g., email, banking).

2 Likes

I use Bitwarden for all my TOTP codes. I understand the pros and cons but the way I see it, my Bitwarden account is protected with a VERY strong password. I don’t believe anyone will gain access to it - if they did, they would be able to login to credit card accounts and other services that don’t use 2FA. This would obviously be disastrous!

A far greater risk is someone gaining access to a particular account of mine, maybe because a site is hacked and isn’t storing passwords securely. If I have 2FA turned on wherever possible, it greatly reduces that risk no matter where I sort my TOTP codes.

For me, the convenience of having my 2FA info in BW is worth it.

2 Likes

Hi all.
I was reading through this discussion and have to ask: would you recommend in not using Google or Microsoft Authenticator for 2FA?
Thanks,
F.

Google’s version was improved about 6 months ago which improved it, no idea about the Microsoft version. However, I’m not sure either has any advantages over Authy.

Whether you want to use one is a matter of balancing advantages and disadvantages according to your preferences.

1 Like

Both Google and Microsoft authenticator apps are fine but I agree with @Davidz - I would recommend Authy.

andOTP is also a good choice. Its an offline open source authenticator app. You can backup the tokens if you want.

2 Likes

+1 for andOTP, because it also supports local Backups, which Google and MS only support in the Cloud (as far as i know) and it hides your Codes, so that no malicious App can retrieve them by recording the Screen of your device.

Nice addition for andOTP - I just migrated my 2 Google Auth tokens over to Authy yesterday evening :slight_smile:
My company (and other customers of mine) use MS Authenticator, so I need to have that on my phone as well :-/
I’ll look into andOTP for sure!
Thanks,
F.

1 Like

Adding to the alternative authenticators discussion, I’ve used Aegis in the past, it’s also open source, supports both TOTP and HOTP, and allows importing from other authenticators.

3 Likes

Bear in mind, anything that works in MS Authenticator will also work in Google Authenticator, Authy, etc. They all use the same standard for generating TOTP codes.

2 Likes

So I could be transferring all my TOTP accounts from MS Authenticator over to Authy or andOTP? I mean, not with a simple export-import task, but instead just deactivating the 2FA for one service and reactivating it in Authy/andOTP?

As long as you have the secrets, yes. Put the same secret into different authenticators (even on different computers) and they will generate the same sequence of codes, changing at the same time (within a second or two). For this to happen all the computers need to be on the same time, so it is a good idea to have them checking with a time server from time to time.

If you don’t have the secrets then you will have to start again.

2 Likes

Absolutely :grinning:

HAHAHA! I’m feeling so noob! :smiley:

1 Like