Security risks of using Bitwarden as authenticator and password manager

Great discussion going on. Salute everyone who share their insights, especially the people who develop this platform.

In aviation they have the swiss cheese model. The idea is simple. No single security layer would protect you 100% from the threats. There will be some weak areas that can be penetrated in each layer. By adding multiple layers on the top of eachother, you close those gaps. So more layers, (i.e. 2fa) is always good practice.

There is a flip side to that coin, and that’s the convenience. You can setup more layers, but considering you enter passwords multiple times a day, each layer will increase the complexity for you and make the login process longer.

I really like the BW and would love to use the in built TOTP to simplify the login process, but there is an inherint flaw to how BW is built, and it’s the master password. Since the platform can be accessed on the web with only the username password pair, as soon as someone gets a hold to my password, boom game over. I’ve never used authy but as far as I undersand, you can limit the number of devices that can be used to access the platform.

I understand that you can deauthorize or log out all the other sessions, but this makes things even worse, because the person who has the master password can lock all the sessions and change the password, hence kicking you out forever.

Am I missing something here? Is using a hardway key the only way to secure BW over a single password?

I used to think the phones were flawed in terms of security, but at least biometrics add another layer of security. So if I were able to limit the access to BW on only known devices, and disable web access completely, I could rely on the biometrics as a layer in 2FA. Between a desktop with fingerprint sensor, a phone and a tablet, I would have enough, and more importantly practical backup devices in case i lose one of my devices.

Any thoughts on this?

I respectfully disagree. Statistically one strong basket, with a 2% risk is less secure than two baskets with each having 10% risk

Even if you have the strongest password, once it’s compromised, it’s game over.

Not if you set up 2FA (eg. use Authy) on your Bitwarden account. You can even use a Yubikey. No one can then access the vault but the person at the location where the Yubikey is inserted.

As for myself, I have a Duo account with Push notifications. So when I login to Bitwarden, it sends my phone a notification to accept or decline access to my vault. Even if someone knows my master password, they need to get my phone before the Duo push times out. They also need to know the notification was sent—assuming they had my phone—but it doesn’t appear as a popup. It silently appears in the background.

Personally, I like the fact putting my TOTPs in Bitwarden lets me know which accounts can have TOTPs but don’t yet. I couldn’t do that when they were separately in Authy. Not as easily anyway.

image947×352 24.2 KB

Alright using the word “flaw” was a mistake from my end. It is what it is.

Your answer is also valid, but think about it. You are creating a workaround to this “design choice”

If I was able to limit the number of devices, then my existing devices would act as “something that I own” and the password “something that I know” completing the 2FA setup.

The ability to login to BW on the web with just the username/password pair invalidates my devices (phone, desktop, tablet) as the "something that I own category

Using a separate application introduces another step and complexity to the whole setup. Given that all devices have bioetrics nowadays, I should be able to meet the 2FA requirements with one device

But that’s what I’m saying. You can’t login with just the un/pw on the web if you have 2FA enabled on access to your vault. There is not an ability to login to my vault on the web with just my un/pw. If I try, the web vault prompts for my second factor.

image963×760 29.2 KB

image421×868 51.8 KB

@chyron8472 , believe me, I understand your point. You say, if the 2FA is enabled, you have to use this method and can’t access the platform without it. OK I get that. However my comment/request is different from this

Why do you need the 2FA? To have a layer other than “something you know”. In case someone gets your password, you want to protect your account.

Again, if I was able to limit the access to a list of devices that I own, this would limit the “intruder” to use my devices. And my devices are secured by biometrics, i.e. “something that I am”.

Since BW is accessible to anyone who has the username/password pair on the web, I can’t use my devices, and the biometrics as an additional level of security, because I can’t enforce biometrics as a mandatory security level.

Hope this time it’s more clear.

I see. You can’t block access to your vault from any and all devices you don’t use, as a method of security, because the Web Vault is a thing.

I suppose so, sure. I would argue though that, while but that the security method you want is not available unless you self-host, that doesn’t mean the security methods otherwise readily available aren’t sufficient.

I can see where you’re coming from though.

How do I access the Bitwarden Authenticator?

You upgrade to Premium for just 10 USD/year.

Here are some more details:
https://bitwarden.com/help/article/authenticator-keys/

I have to agree! Embarrassing as it is- working in Sales for an IT Co., when I left, the CIO who was wiping my laptop called me and told me about Bitwarden!

He discovered that I had my passwords stored on my corporate laptop (and they were on my home computer too) in an Excel file. At one time they were password protected, but I had to disable it for something and it was easier to reference without the password, so I just kept it off.

I have been so grateful for the security Bitwarden offers. I knew better than to take security for granted. I have worked in the law enforcement arena for more than 15 years helping prosecute federal crimes and forfeit the assets of criminals and proceeds of crimes to give back to victims and law enforcement. I have attended numerous trainings on how to physically protect oneself and take various “street-wise” precautions. However, as a child of the 80s - 90s, we didn’t have cybercrime- this is all still science fiction to some of us. So the miracles of Bitwarden are just that- miracles!

I think the same way.

I use an external app as a 2FA for my bitwarden account so even if someone managed to steal my bitwarden credentials, they would still need a 2FA to gain access.

I don’t know if there’s a way to get past it though, i’m not a cibersecurity expert unfortunately.but i do think it should make it harder.at least.

Same here, but you’d have to know my Vault PW and have my Yubikey to gain access - not going to happen!

So yes, I store all of my Codes and Passwords in BW.

I’ve heard good things about andOTP. I use Aegis which I believes fall in the same category:

1. FOSS
2. Capability to export unencrypted backups (if you so desire, be careful)
3. Capability to export encrypted backups
4. Can set it up to save encrypted backup every time you make a change.
5. …I set it up as described in 4 and also use Foldersync to automatically backup these encrypted backups to the cloud… so I always have current encrypted backup with no ongoing effort is required.
6. Ability to use biometrics to unlock if you so choose.
7. folder categories, searching, sorting

Great points

Even though I mentioned andOTP. Currently, I am using Aegis as my default token generator. I really do enjoy using it and imo it is better than andOTP.

Given the LastPass breach I think this topic has become very relevant. I see a lot of advice below stating that because Bitwarden is secured with multifactor authentication then it should be safe for you to store TOTP codes there AND use it as your password manager. The main takeaway from those points I think is that if your Bitwarden vault is compromised then it is game over anyway. However, security is generally a game of defense-in-depth and I do believe that separating the authenticator app from your password manager adds an additional layer of security. These are my reasons:

1.) I don’t think that you can count on your Bitwarden vaults to be protected by MFA. The LastPass breach highlighted that if someone hacks the password manager’s servers and steals the customer vaults then you are only protected by a single factor. The mitigating control in this case is the strength of the encryption and making sure that you are using a very strong master password and that the number of iterations in the derivation function is kept high and updated. Still, keep in mind that in this case your TOTP codes and Passwords are protected by a single (hopefully strong) factor.

2.) In the event your device is infected with malware no password manager can make guarantees about the security of the vaults. The reason for this is that the attacker can easily get your master password or just export the decrypted data on the client-side. However, if your TOTP codes are in Bitwarden the attacker has everything they need to access your most sensitive accounts. I would argue that makes it much LESS secure than even using text messages for MFA as then the attacker would need to perform a sim swapping, man-in-the-middle or social engineering attack to get the code. (Still stronger than e-mail though because an attacker who compromised your machine would almost definitely have access to your e-mail account via established sessions).

If you have a secondary authentication app that requires biometrics for access which is different than Bitwarden (and maybe even on a different device, for example an app on your phone rather than on your PC) you will have introduced yet another layer of security and difficulty for the attacker to access those particularly sensitive accounts. The main argument I would say in favor of storing TOTP code in Bitwarden is convenience. If you are less likely to use MFA due to the inconvenience of using authenticator apps and Bitwarden would make you use it more then you should probably use this feature (e.g. people with lower risk tolerance or family members with less technical proclivities). Otherwise, separating the authenticator app from the password manager would add an extra layer of security and it probably the right way to go.

Great question. To reply:

1. Risk assessment of using Bitwarden Authenticator

• This seems another example of the classic risk assessment question of the trade off between security and convenience
• For me personally, bundling 2FA totp code provisioning into my password manager is 100% no go
• Risk can be considered a product of 2 factors; probability x impact
• Like others have listed, I reduce the probability of my Bitwarden account being hacked by using a strong primary password (I’m a bit uncomfortable with the term ‘master’ password) and using a 3rd party 2FA smartphone app
• This though isn’t a 100% guarantee that the account won’t be hacked, especially as highly motivated, skilled and equipped hacking groups increasingly target 2FA bypass attacks (e.g. stealing session tokens from web browsers, that seem a good reason to use the Bitwarden downloaded app rather than Bitwarden browser extenstion)
• The impact of my password manager being hacked though (as others have stated) would be catastrophic
• Hence why I personally use a separate 2FA tool from Bitwarden, to act as a firewall between the 2
• I understand this next point is unrealistic for many others; I take this firewalling a step further by not using my Bitwarden and the 2FA app on the same device. I run 1 on a PC and 1 on a smartphone

2. Choice of 3rd party 2FA smartphone app

a) If you are heavily invested in the Microsoft ecosystem, Microsoft Authenticator may be the best option. MS Authenticator offers Push Notifications for 2FA authentication of Microsoft accounts. These push notifications are being further strengthened as Microsoft roll out Push Notification Number Matching (in case of doubt, this is not the same as 2FA totp code generation). Look up MS Authenticator number matching elsewhere, it is really excellent and a step above using 2FA totp codes. MS Authenticator offers totp codes for 2FA of non-Microsoft accounts.

A key question to ask re 2FA smartphone apps, is how do you access your 2FA secrets if you lose access to your smartphone? Microsoft Authenticator offers a ‘Cloud backup’ option that can be enabled if you use MS Authenticator to protect a personal (i.e. non-work, non-school) Microsoft account. E.g. Hotmail, live.com, outlook.com. It is though important to enforce 2FA on the personal Microsoft accounts. Otherwise the MS Authenticator recovery process seems vulnerable if someone steals the password for the hotmail/live.com/outlook.com account. I make this point since MS Authenticator can be used for 1 factor passwordless login that doesn’t remove password as an authentication option. If you don’t use a personal Microsoft email product, MS Authenticator is a poor personal 2FA choice.

As was shown by the LastPass breach late last year, use strong passwords to protect your accounts in case a vendor suffers a data breach, allowing 2FA bypass of the stolen data.

b) Google Authenticator

This lacked a cloud backup feature until this year. Concerns have been raised re how secure Google Authenticator cloud backup is. Search online for yourself to see details (this forum is blocking me including a weblink).

c) Authy

Authy forces the user to set a cloud backup password as part of the registration process. However, Authy is a spyware product:

i) The user is obliged to enter their phone number as part of registration
ii) Install the duckduckgo browser on your smartphone and enable the ‘application tracking protection’ feature. This feature will report Authy as a prolific and determined tracking product.

Another Authy shortcoming is that SMS text can be used to gain access to the totp secrets (making Authy vulnerable to SIM swap attacks).

Authy’s ‘multi device’ feature is enabled by default. It’s been suggested multi device being enabled increases the attack surface, and so it’s worth considering disabling multi device if using Authy.

d) 2FAS

This is an excellent, open source totp code 2FA product. 2FAS contains the option to:

i) Enable cloud backup to the user’s cloud storage (either google drive or icloud based on smartphone OS)
ii) Password protect that back up file

The cloud backed file up gets saved as a hidden file in the cloud storage.

e) Aegis

Aegis imho has been overtaken by 2FAS. To cloud backup Aegis, the user has to enable Android backup on the smartphone. This is an entire Android backup in which sub-components to be backed up can’t be user selected. Aegis was an Android only product last I checked. Aegis allows manual backups for those who prefer manual backups.

f) &OTP

Last I checked, this required manual backups to be taken since there’s no cloud backup feature. Some people don’t like cloud backups and consider this a strength of &OTP.

g) Duo

I can’t comment as I’ve only ever used free 2FA smartphone apps. My understanding is there’s no free version of Duo. If procuring a 2FA product (which I am considering), I’d get the elevated security of a hardware based product such as Yubikey rather than Duo.

Please feedback re any errors or omissions in this update.

That is absolutely not true for TOTP.
It is based on symmetric encryption.
The authenticating party and the verifying party must both have the seed for it to work.
So if Facebooks external auth db was fully compromised there, the TOTP seed is also accessible to the attacker.
Even if encrypted, it must be a reversible encryption to use it again.
Also they could just delete the flag that requires TOTP. Your data is not bound to that key, in any way.

TOTP only protects against password theft elsewhere.

@drosselbart Welcome to the forum!

If we’re going to clarify a comment that was made in January 2021, then I would like to point out that even though your objection is valid, the point that @slavdok was making in the excerpt that you quoted is still valid: for the scenario of an external breach, storing the TOTP seeds in Bitwarden does not weaken your security.

Lol.
Ok recommendations really kinda simulate recency.
Yeah to the latter.

Google Auth works great cuz they have sync now