Great question. To reply:
- Risk assessment of using Bitwarden Authenticator
- This seems another example of the classic risk assessment question of the trade off between security and convenience
- For me personally, bundling 2FA totp code provisioning into my password manager is 100% no go
- Risk can be considered a product of 2 factors; probability x impact
- Like others have listed, I reduce the probability of my Bitwarden account being hacked by using a strong primary password (I’m a bit uncomfortable with the term ‘master’ password) and using a 3rd party 2FA smartphone app
- This though isn’t a 100% guarantee that the account won’t be hacked, especially as highly motivated, skilled and equipped hacking groups increasingly target 2FA bypass attacks (e.g. stealing session tokens from web browsers, that seem a good reason to use the Bitwarden downloaded app rather than Bitwarden browser extenstion)
- The impact of my password manager being hacked though (as others have stated) would be catastrophic
- Hence why I personally use a separate 2FA tool from Bitwarden, to act as a firewall between the 2
- I understand this next point is unrealistic for many others; I take this firewalling a step further by not using my Bitwarden and the 2FA app on the same device. I run 1 on a PC and 1 on a smartphone
- Choice of 3rd party 2FA smartphone app
a) If you are heavily invested in the Microsoft ecosystem, Microsoft Authenticator may be the best option. MS Authenticator offers Push Notifications for 2FA authentication of Microsoft accounts. These push notifications are being further strengthened as Microsoft roll out Push Notification Number Matching (in case of doubt, this is not the same as 2FA totp code generation). Look up MS Authenticator number matching elsewhere, it is really excellent and a step above using 2FA totp codes. MS Authenticator offers totp codes for 2FA of non-Microsoft accounts.
A key question to ask re 2FA smartphone apps, is how do you access your 2FA secrets if you lose access to your smartphone? Microsoft Authenticator offers a ‘Cloud backup’ option that can be enabled if you use MS Authenticator to protect a personal (i.e. non-work, non-school) Microsoft account. E.g. Hotmail, live.com, outlook.com. It is though important to enforce 2FA on the personal Microsoft accounts. Otherwise the MS Authenticator recovery process seems vulnerable if someone steals the password for the hotmail/live.com/outlook.com account. I make this point since MS Authenticator can be used for 1 factor passwordless login that doesn’t remove password as an authentication option. If you don’t use a personal Microsoft email product, MS Authenticator is a poor personal 2FA choice.
As was shown by the LastPass breach late last year, use strong passwords to protect your accounts in case a vendor suffers a data breach, allowing 2FA bypass of the stolen data.
b) Google Authenticator
This lacked a cloud backup feature until this year. Concerns have been raised re how secure Google Authenticator cloud backup is. Search online for yourself to see details (this forum is blocking me including a weblink).
c) Authy
Authy forces the user to set a cloud backup password as part of the registration process. However, Authy is a spyware product:
i) The user is obliged to enter their phone number as part of registration
ii) Install the duckduckgo browser on your smartphone and enable the ‘application tracking protection’ feature. This feature will report Authy as a prolific and determined tracking product.
Another Authy shortcoming is that SMS text can be used to gain access to the totp secrets (making Authy vulnerable to SIM swap attacks).
Authy’s ‘multi device’ feature is enabled by default. It’s been suggested multi device being enabled increases the attack surface, and so it’s worth considering disabling multi device if using Authy.
d) 2FAS
This is an excellent, open source totp code 2FA product. 2FAS contains the option to:
i) Enable cloud backup to the user’s cloud storage (either google drive or icloud based on smartphone OS)
ii) Password protect that back up file
The cloud backed file up gets saved as a hidden file in the cloud storage.
e) Aegis
Aegis imho has been overtaken by 2FAS. To cloud backup Aegis, the user has to enable Android backup on the smartphone. This is an entire Android backup in which sub-components to be backed up can’t be user selected. Aegis was an Android only product last I checked. Aegis allows manual backups for those who prefer manual backups.
f) &OTP
Last I checked, this required manual backups to be taken since there’s no cloud backup feature. Some people don’t like cloud backups and consider this a strength of &OTP.
g) Duo
I can’t comment as I’ve only ever used free 2FA smartphone apps. My understanding is there’s no free version of Duo. If procuring a 2FA product (which I am considering), I’d get the elevated security of a hardware based product such as Yubikey rather than Duo.
Please feedback re any errors or omissions in this update.