Security risks of using Bitwarden as authenticator and password manager

There are 2 concepts:

  • Two-Factor Authentication (2FA)
  • Two-Step Authentication (2SA)

A lot of times these are used interchangeably. They both offer increased security, but they are not the same. Having your 3rd-party account TOTP seeds stored in Bitwarden, unlocked by the same method as your 3rd-party account password (i.e. unlocked by single master password) downgrades them from 2FA to 2SA. A different factor would be something different than your master password. That’s why it’s called 2-factor.

A factor is not “another password”. A factor is one of:

  • Something you know (a password, a TOTP seed)
  • Something you have (a security key, a phone/device with TOTP seeds)
  • Something you are (biometrics)

You see above how storing 3rd-party passwords and 3rd-party TOTP seeds together (in password manager) makes it “same factor”, unlocked by the same method: something you know, i.e. the 1st-party master password. [But what about 1st-party 2FA? I will get to that later]

But is it a bad thing? Not always. That depends on your threat profile.

When is 2SA just as good as 2FA?
In both cases below, 2SA provides just as much security as 2FA

  1. Accidental password exposure.
    Imagine you have Facebook password and Facebook TOTP seeds.
    A bad actor spies your Facebook password over your shoulder.
    But when they try to login, they are prompted for TOTP code. They cannot use previous TOTP code, and they do not have the TOTP seed to generate new one.

  2. External breaches.
    Imagine Facebook stored passwords in plain text (tsk tsk). Someone hacked their DB and posted the logins/passwords openly on the internet.
    A bad actor now tries to login to your account (before Facebook learns about the breach and forces everyone to change passwords).
    But when they try to login, they are prompted for TOTP, which they don’t have.

When is 2FA superior to 2SA

  1. Password manager compromised.
    Imagine you are on home PC. Your vault is unlocked for convenience, or a close bad actor actually knows your master password after months of spying over the shoulder. And since this is a trusted computer, your 1st-party 2FA is not in the picture.
    You step away to the washroom or take care of kid or anything.
    A close bad actor (cheating spouse, crackhead brother, stealing teenager, anyone) sneaks onto your computer and tries to login to your bank account. They have the 3rd party password right there in the vault. If you also saved the TOTP seed in the vault, they have that too now.

However, if you kept your TOTP codes on a separate factor, like your phone (which is hopefully fingerprint locked, or at least you took it with you when you stepped away), then they still cannot login to your bank.

A compromised vault is not the end game
This is the distinguishing detail. A lot of people approach threat mitigation as ending at compromised vault. They think once a vault is compromised, that’s it, game over. In that case saving TOTP seeds along with passwords makes no difference.

For me, a compromised vault is not the end game. For me, a compromised back account is the end game. This is why my bank TOTP seeds will never be in a vault. And before you say that most 2FA/2SA can be bypassed by contacting support and email access: I don’t keep my email password in the vault either.

However, for trivial accounts, like Facebook in fact, I would keep the TOTP seed in the vault for convinience.

5 Likes

Great detailed explanation.
As I’m used to it, I’ll keep my TOTPs on my Android device (andOTP) and unlock it and the TOTP app itself with fingerprint.

Hello @slavdok,

the same thing I was thinking about mobile phone.

  • Isn’t SMS on the phone?
  • Isn’t 2FA app on the phone?
  • Also most of the apps you are using?

The phone becomes very important (single point of failure). If I lose it, I’m screwed.

It is good, but only has a limited amount of storage for the secrets. 32 rings a bell, BICBW and I can’t be bothered to look it up. So good for a subset o someone’s accounts, but not all of them.

“The phone becomes very important (single point of failure)”

Yes and no, depends on the circumstances.

For example Authy will synchronise across all your devices, so if you lose a phone you de-authorise Authy on your phone from your computer, get another phone, install Authy on it, authorise the new phone to use your Authy from your computer.

2 Likes

This. This is why I like storing TOTPs on Bitwarden.

When I used Lastpass, I had Authy for Desktop installed, which is still the same “factor” as a password, as per @slavdok’s post about 2FA vs. 2SA, since it was accessible on the same machine and also removed the necessity for having my phone to access TOTPs.

Unless you don’t know your Authy pw (because it was generated by Bitwarden), and accessing Authy on a new device prompts for a password you don’t know because it’s in a Bitwarden vault that you can’t access because its TOTP is in Authy.

That would be foolish. The wise have copies of it, no matter where it was generated, just in case. I have no idea what mine is, but I can easily call it up (from heavily encrypted storage) when I need to find out what it is.

This gets tricky with semantics, I won’t deny it, but let try to break it down. (Also, just for the record, I also use Authy for Desktop)

  • On your PC, you have your Bitwarden app
  • On your PC, you have your Authy Desktop app

Does that make them same factor? Remember: “Something you know”, “Something you have” are different factors.

  • Your Bitwarden app is unlocked by your Master Password (something you know)
  • Your Authy Desktop app is unlocked by your Authy Backup Password (also something you know).

“Aha, you see!” you say. But wait a second, your Authy Desktop is not unlocked solely by Backup Password. It also requires your device (PC in this case) to be previously authorized. In other words, it requires “something you have” (your PC).

  • What if someone got a hold of your Authy Backup Password. Would they be able to login on their desktop? No. Authy will not work, because their device/PC is not authorized.
  • What if someone got a hold of your PC. Can they just open Authy and use it? No, they need your Backup Password (unless you specifically disabled that, thus you downgraded your security on purpose).

So, your Authy Desktop is still protected by 2 factors: something you know (Backup Password) and something you have (your Authorized PC).

If somebody gets a hold of both passwords, your Bitwarden Master Password and Authy Backup Password (both being the same factor: something you know), they still cannot access either remotely, because they don’t have something you have (your Authorized PC). 2FA’s exact purpose is that: if someone found a way to break 1 factor (be it stealing passwords through phishing, or physically stealing a device), they still need the 2nd factor.

It’s different when somebody in your house hold gets a hold of your BW MP and Authy BP, and they have your PC. Now they can access your 3rd party passwords in BW and their respective TOTP seeds in Authy Desktop. But think what just happened: someone just got a hold of 2 of your factors: your master passwords (something you know) and your authorized devices (your PC).

Similar reasoning applies Authy and BW apps on the phone. Authy on phone doesn’t require Backup Password. It can be additionally protected by Fingerprint (something you are, yet another factor). It really should be the case, but let’s say even that is disabled. So, you have Authy on your phone, with no pin and no fingerprint unlock on the Authy app, just like SMS

You also have BW app on the phone. You at least have Fingerprint protection on that, do you? Let’s say you don’t. Let’s say, for convenience, you configured BW app to “never” lock (and we aren’t even going to touch the phone unlock method at all for this discussion). This is essentially done by storing your Master Password (something you know) onto your device (something you have). By configuring BW app to “never” lock and without Fingerprint or PIN unlock, you are changing the equation. Your BW app is no longer unlocked by something you have (your password). No, it’s not. It is now unlocked by something you have (your phone).

If at this point, someone steals your phone, they have just 1 factor (something you have, your phone). But you purposely configured Authy not to be protected by any other factor, and your purposely configured BW not to be protected by any other than the same factor. If someone steals your phone, they still only broke 1 factor (something you have). I am sorry, but it’s you that downgraded the security of BW from 2 factors to 1-factor by telling it to “never lock” (essentially storing your Master Password on device).

But, what if you had Fingerprint (something you are) or PIN (something you know) on BW app? Well, that’s a 2nd factor. So now, if someone steals your phone (something you have), which would give them access to unlocked Authy, or SMS TOTP codes, for that matter, they still don’t have your BW MP (something you know) or PIN (something you know) or Fingerprint (something you are). They can steal the phone, marvel at the TOTP codes changing on the screen all day long, and they still cannot access your vault without the 2nd factor.

1 Like

I’ve been starting to consider getting a Yubikey for accessing my BW vault…

EDIT: Actually, I just installed Duo on my phone, so I can get push notifications to login to BW rather than inputting a TOTP.

Hi @Pulsar

The phone is definitely very important. Read my post here:

It explains how even though it’s easy to think of the phone as a single “factor”, in fact the apps on it are usually protected by 2 or 3 factors (the device itself - something you have, the unlock pin/pattern - something you know, and the fingerprint - something you are). If someone steals your phone and even knows your phone unlock pin/pattern, it’s usually not enough cause they still need your biometrics even in the app. However, it’s up to you to make sure you do not downgrade the security of your phone too much.

Very important: do not set BW app to “never lock”. When you do that, you are changing BW unlock from “something you know, the password”, to “something you have, the phone”

But the problem with the phone is not even BW or Authy. The problem with lost phone is your logged in email account (and many others). Not only the attacker can immediately impersonate you in apps and emails, but they can also use that email access to reset 2FA or outright change passwords of many 3rd party sites, without even requiring to unlock your BW and/or Authy.

And yet, if prepared, you can mitigate most of those situations:

  • You can remotely deauthorize BW sessions (including the phone)
  • You can remotely deauthorize Authy devices
  • You can remotely logout your email accounts
  • You can even remotely wipe the phone in most extreme cases

Pretty much the only thing you cannot remotely lock is your SMS (another reason SMS 2FA is so weak)

So while losing your phone is definitely dangerous from exposure point of view, you can rectify the situation promptly if you have access to a computer (or maybe another phone).

Now the real problem is your own backup, so that you are not locked out. Have a backup 2FA (whether it’s printed recovery codes, or secondary Authy Device/Desktop or Duo account)

There are so many useful insights in this discussion! One thing that was brought up was the weakness of SMS for 2FA. Bitwarden doesn’t even have that option, probably for this reason? (Except via Duo SMS). Now I’m wondering why a number of banks I know have 2FA with SMS or voice call only? They do not have any app-based or key-based options. If SMS is that weak, why haven’t these banks wised up?

Banksters do the least they can get away with. They reason that “everybody has a phone”, which they pay for, so the banksters can use that at no cost to themselves.

Allowing “complicated” things like security keys makes things more difficult/expensive for the banksters. Unless losses rise dramatically, or they are forced to do something by regulators/the law they will do nothing.

3 Likes

I really depends on your threat model.

General rules of thumb

  1. If you don’t have physical security, you don’t have any security.
  2. If your device is compromised, you’ve already lost. The attacker could use your Google session to remotely install malware onto your phone is but one of infinite examples.
  3. TOTP on your cellphone is just 2SA with more steps. 2FA “something you have” also means something you can’t duplicate.

Ideals are a starting point for discussion. While my points may be technically correct, real world security is about layers, because no layer is perfect, but collectively dramatically reduce the blast radius.

I think we can all agree that using a separate TOTP app on a separate device is more secure.

But it you look at the kind of actual attacks that happen in the real world, it’s against low hanging fruit of people re-use the same weak password across or phishing. I haven’t ever heard of someone attacking password managers short of a nation state attacking specific high profile corporate targets. Then OS providers fix the hole.

The purpose of TOTP isn’t to protect against these Hollywood fantasy attacks, it’s to compensate for weak passwords or buy time for password leaks, not your computer getting hacked. Storing TOTP in BW still delivers on this.

TOTP is only 75% effective a against spearfishing, but over 90% effective against general hacking attempts.

If you want real 2FA, you need a real 2FA(something you have) like a security key that cannot be duplicated short of physical compromise with immense effort and skill.

I know people who get their accounts hacked periodically and they change their passwords regularly, every time they’re hacked. They reinstall windows, buy new computers, get new credit cards, everything. IT doesn’t stop them from being hacked because they keep doing things the lead them to be hacked. Then there’s me. Been using the same weak-ish password for all of my hundreds accounts using the same email for 20 years without an issue.

Not getting hacked is more about good internet hygiene than some mystical attacker “Hacking” you.

My personally recommendation is to use strong unique passwords per service and stop worrying about where you store your TOTP codes. The most important thing is to use TOTP and not lose your codes. How many people lose their TOTP secrets when they get a new cell phone because someone told them no to use Authy or store TOTP in their password manager? Too many, that’s how many.

6 Likes

Preach :). For people who are paranoid use a Yubikey or U2F. I store my seeds in BW for everything because I feel that is right for my threat profile.

3 Likes

Yes, i completely agree with what @go12 (Gary) said. You can argue a lot of things, but at the end of the day it still come’s down to what the end user wants to do like Gary said “As with many discussions in security, it comes down to balancing what is right for you and there is no single right answer for all use cases” and also @hwsamuel i think going out of your way just to disable a feature build in to Bitwarden, (just because it may be a bit more convenient and or maybe a bit less secure (then doing it another way)) i think, is kind of unnecessary i would say so my self.

2 Likes

I honestly don’t see what the issue is with using Bitwarden for both. The purpose is to make it harder for your accounts to get hacked/compromised. Storing both credentials in your vault won’t make it less secure to that end, assuming you secure your vault (which you should do already anyway).

Users bring up the case of “more sensitive logins”… but that suggests less sensitive logins don’t need much bothering about.

In my opinion, the primary factor is keeping access to the credentials’ locations secure. This “what if the vault is compromised?” scenario shouldn’t be a thing. Because if your vault isn’t secure you should either secure it or use a different vault that is secure. Securing only some of your accounts seems to miss the point of having a vault in the first place.

If you want to use a different authenticator than Bitwarden, that’s one thing. But doing so because you imagine your vault getting hacked should be entirely the wrong reason. Protecting your vault to begin with should be priority number one.

I wonder what your thoughts are about Bitwarden OTP being more secure than SMS or e-mail?
My line of thinking is:

  1. All in same software is conceptually bad, because its also on one device then.
  2. Different pieces of software is better, because they could reside on different devices.
  3. Total/enforced separation is best (BW combined with OTP on e.g. a yubikey)

I understand you weren’t asking me, but…

That assumes separate software is on separate devices, which is rarely the case. If you access an account on mobile, you use the vault on mobile; and likely the TOTPs are also stored on that same mobile. This renders the argument moot.

See above. They very likely don’t, depending on the use case. Also, if someone is in close proximity to you and attempting to access your vault on a device where you yourself use it, what is stopping them generating an excuse and asking to borrow your phone?

Yes. So protect the vault with a Yubikey and put everything together in the vault. In this way you combine the convenience of having everything in one place with the security of no one accessing it without the hardware key.

One could apply the same argument to accessing your vault. If your TOTPs are in your vault, and they need your phone to access it, just don’t give your phone to them.

I’m just saying, I think the concern about what would happen if the vault is compromised shouldn’t be a thing with respect to the argument regarding whether to store TOTPs in it. Because if the vault was vulnerable, you’d be better off not to use it at all.

Taking steps to secure your vault, such that you trust that you can rely on it— in my opinion, that is a better approach than being anxious that it might be compromised.

1 Like

Not to a stranger. To someone you know. A friend or family member, for example. Someone who can gain access to your vault on a device you use to login to it.

I’m just saying… Secure your vault. Putting your eggs in different baskets because you don’t trust the one basket is the wrong idea. Have a basket you trust.