There are 2 concepts:
- Two-Factor Authentication (2FA)
- Two-Step Authentication (2SA)
A lot of times these are used interchangeably. They both offer increased security, but they are not the same. Having your 3rd-party account TOTP seeds stored in Bitwarden, unlocked by the same method as your 3rd-party account password (i.e. unlocked by single master password) downgrades them from 2FA to 2SA. A different factor would be something different than your master password. That’s why it’s called 2-factor.
A factor is not “another password”. A factor is one of:
- Something you know (a password, a TOTP seed)
- Something you have (a security key, a phone/device with TOTP seeds)
- Something you are (biometrics)
You see above how storing 3rd-party passwords and 3rd-party TOTP seeds together (in password manager) makes it “same factor”, unlocked by the same method: something you know, i.e. the 1st-party master password. [But what about 1st-party 2FA? I will get to that later]
But is it a bad thing? Not always. That depends on your threat profile.
When is 2SA just as good as 2FA?
In both cases below, 2SA provides just as much security as 2FA
Accidental password exposure.
Imagine you have Facebook password and Facebook TOTP seeds.
A bad actor spies your Facebook password over your shoulder.
But when they try to login, they are prompted for TOTP code. They cannot use previous TOTP code, and they do not have the TOTP seed to generate new one.
Imagine Facebook stored passwords in plain text (tsk tsk). Someone hacked their DB and posted the logins/passwords openly on the internet.
A bad actor now tries to login to your account (before Facebook learns about the breach and forces everyone to change passwords).
But when they try to login, they are prompted for TOTP, which they don’t have.
When is 2FA superior to 2SA
Password manager compromised.
Imagine you are on home PC. Your vault is unlocked for convenience, or a close bad actor actually knows your master password after months of spying over the shoulder. And since this is a trusted computer, your 1st-party 2FA is not in the picture.
You step away to the washroom or take care of kid or anything.
A close bad actor (cheating spouse, crackhead brother, stealing teenager, anyone) sneaks onto your computer and tries to login to your bank account. They have the 3rd party password right there in the vault. If you also saved the TOTP seed in the vault, they have that too now.
However, if you kept your TOTP codes on a separate factor, like your phone (which is hopefully fingerprint locked, or at least you took it with you when you stepped away), then they still cannot login to your bank.
A compromised vault is not the end game
This is the distinguishing detail. A lot of people approach threat mitigation as ending at compromised vault. They think once a vault is compromised, that’s it, game over. In that case saving TOTP seeds along with passwords makes no difference.
For me, a compromised vault is not the end game. For me, a compromised back account is the end game. This is why my bank TOTP seeds will never be in a vault. And before you say that most 2FA/2SA can be bypassed by contacting support and email access: I don’t keep my email password in the vault either.
However, for trivial accounts, like Facebook in fact, I would keep the TOTP seed in the vault for convinience.