This gets tricky with semantics, I won’t deny it, but let try to break it down. (Also, just for the record, I also use Authy for Desktop)
- On your PC, you have your Bitwarden app
- On your PC, you have your Authy Desktop app
Does that make them same factor? Remember: “Something you know”, “Something you have” are different factors.
- Your Bitwarden app is unlocked by your Master Password (something you know)
- Your Authy Desktop app is unlocked by your Authy Backup Password (also something you know).
“Aha, you see!” you say. But wait a second, your Authy Desktop is not unlocked solely by Backup Password. It also requires your device (PC in this case) to be previously authorized. In other words, it requires “something you have” (your PC).
- What if someone got a hold of your Authy Backup Password. Would they be able to login on their desktop? No. Authy will not work, because their device/PC is not authorized.
- What if someone got a hold of your PC. Can they just open Authy and use it? No, they need your Backup Password (unless you specifically disabled that, thus you downgraded your security on purpose).
So, your Authy Desktop is still protected by 2 factors: something you know (Backup Password) and something you have (your Authorized PC).
If somebody gets a hold of both passwords, your Bitwarden Master Password and Authy Backup Password (both being the same factor: something you know), they still cannot access either remotely, because they don’t have something you have (your Authorized PC). 2FA’s exact purpose is that: if someone found a way to break 1 factor (be it stealing passwords through phishing, or physically stealing a device), they still need the 2nd factor.
It’s different when somebody in your house hold gets a hold of your BW MP and Authy BP, and they have your PC. Now they can access your 3rd party passwords in BW and their respective TOTP seeds in Authy Desktop. But think what just happened: someone just got a hold of 2 of your factors: your master passwords (something you know) and your authorized devices (your PC).
Similar reasoning applies Authy and BW apps on the phone. Authy on phone doesn’t require Backup Password. It can be additionally protected by Fingerprint (something you are, yet another factor). It really should be the case, but let’s say even that is disabled. So, you have Authy on your phone, with no pin and no fingerprint unlock on the Authy app, just like SMS
You also have BW app on the phone. You at least have Fingerprint protection on that, do you? Let’s say you don’t. Let’s say, for convenience, you configured BW app to “never” lock (and we aren’t even going to touch the phone unlock method at all for this discussion). This is essentially done by storing your Master Password (something you know) onto your device (something you have). By configuring BW app to “never” lock and without Fingerprint or PIN unlock, you are changing the equation. Your BW app is no longer unlocked by something you have (your password). No, it’s not. It is now unlocked by something you have (your phone).
If at this point, someone steals your phone, they have just 1 factor (something you have, your phone). But you purposely configured Authy not to be protected by any other factor, and your purposely configured BW not to be protected by any other than the same factor. If someone steals your phone, they still only broke 1 factor (something you have). I am sorry, but it’s you that downgraded the security of BW from 2 factors to 1-factor by telling it to “never lock” (essentially storing your Master Password on device).
But, what if you had Fingerprint (something you are) or PIN (something you know) on BW app? Well, that’s a 2nd factor. So now, if someone steals your phone (something you have), which would give them access to unlocked Authy, or SMS TOTP codes, for that matter, they still don’t have your BW MP (something you know) or PIN (something you know) or Fingerprint (something you are). They can steal the phone, marvel at the TOTP codes changing on the screen all day long, and they still cannot access your vault without the 2nd factor.