Generally speaking, it is a VERY, VERY, VERY bad idea to store TOTP seeds at the same location you are storing your passwords for sites. Then it kinda nullifies the whole purpose of 2-factor-authentication! If attacker gets their hands on your Bitwarden wault to get your password, they would now ALSO get your 2FA:s (TOTP) and gain access to your accounts!!!
The whole purpose of 2FA is to be, well, 2FA. An other factor incase someone breaks your 1 line of defence. If they can get that aswell as they get your passwords, it makes absolutely no sense to use 2FA at all, since it zero additional protection in case of compromise.
Personally I keep and use my TOTP:s on my iPhones TOTP app, this way even if my Bitwarden/computer would be hacked, the attacker still cannot gain access to any of my accounts, since he cant get the TOTP:s from my iPhone. I keep backups of my TOTP:s and TOTP seeds on KeePassXC database inside encrypted container, that I open very, very rarely and only after making sure my computer is not hacked. This is the way TOTP:s should be stored and used. NOT inside the very same password manager you use daily and is prone to hackers.
In general, you’re not wrong, I would say… but endless discussion, and there are two “sides”, both have pros & cons (and legitimate arguments) to it, and there is no definitive “that’s the only right thing to do it”…
If it shouldn’t be done at all (ever), all password managers would disable that function. Obviously, that isn’t the case.
If you see it that strongly, you shouldn’t ever store one passkey in your Bitwarden vault, as passkeys in most cases provide “full login functionality”, what would be equal to “storing the first and the second factor together in one place”. - Do you store passkeys in Bitwarden?
You and many other people are mistaken for what Passkeys are for. Passkeys are EITHER a) replacement for passwords (meaning that 2FA is still needed) OR b) a good 2FA (meaning that password is still needed). Passkeys are NOT something that eliminates 2FA / combines password+2FA into 1 thing!!! Then, well, it is NOT 2FA if its just 1FA (Passkey)!!!
So storing Passkeys in Bitwarden is OK if they are ONLY used to replace passwords…and additional 2FA is still used (like TOTP). If they are used to replace 2FA then its a bad idea, because the password is still needed and stored in Bitwarden anyway. If they are used to get rid of 2FA and just use 1FA then it is a terrible terrible terrible idea!
I only use Passkeys in forms of physical Yubikeys…This way they can never be hacked/downloaded from me nomatter what is the case…THIS IS THE WAY THEY SHOULD BE USED. Unfortunally many sites do not allow them to used as U2F but push to use them as Fido2 which is terrible in security perspective (because then usually you dont have 2FA but 1FA, the passkey). Only very, very few sites allow to use Fido2 as login and TOTP as 2FA…or password for login and Fido2 as 2FA.
Again, if the only thing needed to sign into service is Fido2 (passkey), than you do not have 2FA, you have 1FA. And that is against even basics of security.
The reason OTP (one-time-passwords), including TOTP, were developed in the first place is to prevent replay attacks. The basic idea being that since they can only be used once, somebody watching over your shoulder (physically or electronically) is not able to later type the same thing on their computer.
The idea of bifurcating one’s credential came much later and using a separate vault for the TOTP code is but one way to do it. Pepper for your password is another approach that has the advantage of not doubling the administrative overhead (installing, managing, backing up two vaults) and having a smaller increase in the login friction for users.
There is a careful line we all need to walk here. Even if one uses the absolute worst MFA mechanism (looking at you, SMS) and stores it in the worst possible way, their security posture is substantially better than not using MFA in the first place. “Very Very Very bad” implies that MFA done poorly is worse than no MFA, which is not true.
Hm, as this get’s a bit off-topic now for this feature request here, I would like to respond only shortly now - and if this discussion should be continued, I suggest opening a separate topic for that.
It seems, you are in conflict with the FIDO Alliance here:
Speaking of factors again… there also some people now - also part of the FIDO Alliance etc. - considering stop counting factors / stop thinking in factors may be the beginning of a new paradigm here… (as one idea of different factors was a reaction to some downsides to passwords, that are now mitigated with passkeys…)
PS: That said, I also value my YubiKeys - and store some passkeys only there…
The reason OTP (one-time-passwords), including TOTP, were developed in the first place is to prevent replay attacks.
Perhaps once. Better protection comes from the fact that you can split your login details into two parts, store them separately. Therefore anyone capturing one part of your login details will be unable to login with your credentials. Again in terms of, lets say your computer gets compromised or Bitwarden hacked: If TOTP is in your phone, you have nothing to worry about.
“Very Very Very bad” implies that MFA done poorly is worse than no MFA, which is not true.
That is your interpretation. In reality, there is nothing gained with that MFA if your Bitwarden or computer gets hacked: The hacker can and will as easily get the TOTP as they get your passwords…and if they dont get access to your Bitwarden or computer, they cant get your password anyway and therefore your accounts are safe even without the TOTP. So the TOTP really does not give you any additional security in THAT CASE (that TOTP is stored in Bitwarden).
It seems, you are in conflict with the FIDO Alliance here:
Well, then Fido Alliance is wrong and Im right. The passkey is ONE thing. ONE thing. One cryptographic key. ONE. If that key is compromised one way or an other then that is it: Accounts are all compromised. So, compromising just ONE THING (the passkey) attacker can get into your accounts. That is then not protected by TWO factors, but ONE (the passkey). I dont care who sayes what: One is not Two. One factor is not Two factors. Passkey is just One thing, one factor.
Oh yes you can say its “protected” by many factors (physical key and pin or biometrics in Yubikey). Its like saying you have encrypted your Gmail password with other password and now you have “2 factors” protection to your Gmail account. You dont. If I get your Gmail password, I can get in, because in reality there is no “2 factor” protection in your Gmail account: Your Gmail password is still the only thing I need to get into your Gmail account. Does not matter if you have 20 different passwords encrypting it in your computer, I dont need any of those, just the Gmail password is what I need. Same way with Passkeys: If I steal your passkey, I can get in, I dont need anything else. So thats just 1 factor I need to steal.
It comes even more important if you do NOT use physical keys (yubikey) and biometrics (hey YubikeyBio), but Passkeys in Bitwarden!!! Then those Passkeys are NOT physical keys, but just code in program that can be hacked/extracted, there is really no difference between them and password really. I hack your Bitwarden, I get your Passkeys, I get to your accounts. 1 factor.
If however, you have U2F, TOTP, SMS or even email verification in place, I cant get in. Because that is 2 factors that I need and I only have 1 factor.
Bitwarden indeed has no User Verification mechanism for now
In Windows, you can sign in (after you have once opened it with password etc.) with Windows Hello to Bitwarden. That means PIN, fingerprint or face recognition. Isnt this “user verification mechanism”?
The missing detail is that 2-factor means that you are using two distinct factors, where the factors are “something you know” (a password, even if written down), “something you have” (TOTP, yubikey, etc), and “something you are” (face-id, fingerprint). Distinct means different and is an extremely important part of this. Truly understanding authentication factors and the level of assurance they provide is best done by studying chapter 4 of NIST 800-63B, keeping in mind that NIST more-or-less refers to MFA authentication as AAL2 and Yubikeys/Hello as AAL3.
@Nail1684 was referring to user verification as it is defined in the Passkey (aka WebAuthn) specification. Although any of the vault unlocking mechanisms would qualify as “user verification”, the difficulty is that the specification requires UV during the authentication ceremony, not before. As currently written, the ceremony begins when you click “login with passkey”, not when you login to your vault.
Wow, that’s some arrogance. Fido Alliance quite literally wrote the book on passkeys.
One thing that may help wrap your head around passkeys is to stop thinking them of an authentication mechanism (“thing”, “secret”, etc.), and to instead think of them as the website outsourcing (or in techie terms, federating) the authentication to the password vault. Basically, the vault is telling the website “yep, this is that same user that set up the passkey in the first place”. Put another way, the vault is the door attendant at a bar that checks your ID (i.e. belongs to you, not a forgery, etc). and then puts the “old enough to drink” wristband on you. With the website being the bartender who simply looks at your wrist instead going through the whole ID proofing.
The assurance level of a passkey is more about how the private key is stored/accessed locally by the vault, and not about the communications between the vault and website.
Your PC being hacked is not the only risk you face. What I am saying is that TOTP was designed to protect against a different type of risk – replay attacks.
The missing detail is that 2-factor means that you are using two distinct factors
In case of Passkey stored in Bitwarden or anywhere it can be extracted, there is NO TWO FACTORS. There is only 1 factor: Passkey, the ECC key involved. If I grap that from you, I do NOT need any “other factors”. I do not need your fingerprint, I do not need your PIN, I do not need “something you have”, I do not need “something you are”. I dont need them. I have the ECC key = Passkey and I can use it to sign into any service you are using it to, without ANYTHING ELSE.
If you have hard time understanding this, then please try to explain to me, what else would I need than the ECC key to sign in to services protected by that passkey?
So you see, that is 1 factor. The Passkey = ECC private key.
Now the situation is completely different in case of Yubikeys, where the Passkey never leaves the Yubikey. Therefore it cant be hacked off there, no hacker can gain it without physically stealing the Yubikey and having the PIN-code for it. That is 2 factors they need.
But when I steal your Passkey from Bitwarden, all I need is that Passkey = ECC private key, that is 1 factor.
Well, Yubikeys can also be hacked to extract the secrets without knowing the PIN-code.
I’ve only cursorily been following this discussion, but it seems that you are applying much stricter standards to the Bitwarden vault than to the hardware key. No ECC can be extracted from your Bitwarden vault unless you have a weak, re-used, or non-confidential master password, and no attacker can obtain a copy of your vault unless they gain access to one of your devices, or to your master password and your two-step login factor.
With a Yubikey, all the attacker would need would be to get access to your key (which should be of similar difficulty to accessing one of your devices for purposes of exfiltrating the vault data). If the passkey is stored in your vault, they would either have to access your device during a time that you have unlocked the vault, or they would need to acquire your master password in additional to getting access to your device.
Well, Yubikeys can also be hacked to extract the secrets without knowing the PIN-code
Because of security vulnerability, not because of designand they require attacker to physically have the Yubikey, it is not possible to do this attack remotely. Other, similiar security keys remain invulnerable and so are newer Yubikeys.
I’ve only cursorily been following this discussion, but it seems that you are applying much stricter standards to the Bitwarden vault than to the hardware key
No, the same standards. But Bitwarden vault, as any other software solution to store Passkeys, simply do not meet the requirements of secure Passkey, since gaining access to that software protection gains access to Passkey…which, if used as single method for signin to service, does not meet the criteria for 2FA since its simply and 1FA then. Pure logic.
The point remains:
If Bitwarden vault stores users TOTP:s, Passkeys, or U2F tokens, then using TOTP, passkeys or U2F for various services provides users with ZERO additional security compared to simply secure password in those services. Because hacking Bitwarden vault provides attacker not only the passwords, but all the TOTP:s, Passkey and U2F tokens they need to sign in as that user to various services…an if attacker cant hack Bitwarden vault, then attacker cant get the passwords of that user either and cant sign in as that user to various services in any way.
No, not without the users passwords for those services.
Are you implying that Bitwarden is designed to be hacked? I would respectfully beg to differ…
I sayed no such thing. I sayed that the vulnerability in Yubikey is a vulnerability, not normal operation and in normal operation Yubikeys Passkeys remain secured, even if attacker gets physical access to them - and remotely it is not possible to hack them in any scenario. However, Bitwarden vault can be hacked remotely and locally, compromising every single Passkey, TOTP, U2F that it has.
Again, as sayed:
Bitwarden vault is not a place to store Passkeys, TOTP, U2F or similiar authentication tokens used for 2FA, since if you do that, then compromise of Bitwarden vault will compromise all your accounts, whether or not they are protected by any kind of 2FA or not. The point of 2FA is especially to prevent single point of failure by providing secondary authentication.
Replay Attack
An attack in which the attacker is able to replay previously captured messages (between alegitimate claimant and a verifier) to masquerade as that claimant to the verifier or vice versa.
[Source: NIST SP 800-63-3]
And as already noted by @DenBestenabove, replay attacks are successfully thwarted using either passkeys or TOTP codes stored in your Bitwarden vault.
Yes, but by contrasting Yubikeys against Bitwarden, you are implying, you are implying that vulnerabilities in Bitwarden are “normal operation”.
I can turn your words around and say that these risks are just due to a “security vulnerability, not because of design”…
I see, you think that attacker could somehow break https connections security and timestampings to actually perform such attack? LOL Gimme a break.
you are implying that vulnerabilities in Bitwarden are “normal operation”
What Im saying is, that if Bitwarden vault is broken into and contains 2FA:s (TOTP, Passkeys, U2F, whatever) and passwords, then attacker can gain access to everything the user has…so it does not matter if user even have TOTP, Passkeys, U2F tokens at all, since he is in no worse situation now than he would be if he had just used passwords and saved them to this Bitwarden vault.
So, there is literally no reason to use any kind of TOTP, Passkeys, U2F if you intent to store them inside Bitwarden vault, because by doing so, you gain zero additional security compared to just having passwords stored there (and using just passwords everywhere).
I can turn your words around and say that these risks are just due to a “security vulnerability, not because of design”
You are not making any sense, just trying to red herring.
I guess you’re not familiar with AitM attacks. But replay attacks don’t even require sniffing of network traffic — a simple phishing scheme will allow an adversary to get access to passwords for replaying, not to mention info-stealing malware that can grab passwords and/or session tokens.
That is an overstatement. You are hyperfocused on a single attack vector (the complete compromise of a user’s Bitwarden vault), which is very unlikely to occur if one takes common-sense precautions. Other Bitwarden users may have more diversified threat models, which would include more common attack vectors for which passkeys and TOTP stored in Bitwarden do provide adequate hardening.
So it’s while perfectly fine for you to set up your security precautions to align with your own idiosyncratic threat model, your recommendations and opinions do not necessarily apply to users who have a completely different threat model.
Enable biometric unlock so it is easy to regain access, increasing the willingness to have a super-short lock interval.
Never unlock your vault on a compromised device. This entails such things as promptly applying patches, embracing anti-malware
software and avoiding software without an established positive reputation.
You are again ignoring the fact that connections are https protected. I dont have to care who and how is sitting capturing my network traffic or trying to whatever, since TLS 1.3 will take of security.
a simple phishing scheme will allow an adversary to get access to passwords for replaying, not to mention info-stealing malware that can grab passwords and/or session tokens.
If user is stupid enought to put their authentication details into wrong site, nothing will protect them. Then they will fill thei TOTP:s too to the wrong site and allow attacker compromise their account. Even U2F and Passkeys offer very limited protection if you claim of capturing and reading network traffic happens (since attacker can just copy the cookies etc. and use them to sign in), for simple phishing attacks they atleast offer some level of protection if site has implemted stuff properly.
AGAIN YOU FAIL TO TALK ABOUT THE MAIN ISSUE:
If Bitwarden vault is compromised and that vault contains not only passwords but also TOTP, U2F, Passkeys, then all is lost and game is over. Period. Putting all your eggs in one basket is a terrible idea and then its really not 2FA since everything is in one place and the only “factor” attacker needs to gain access to everything you have is the content of Bitwarden vault. It makes no difference whatsoever to even bother using TOTP, U2F, Passkeys if you store them all in your Bitwarden vault, since you have no better protection than simply having just a password (and not being an idiot).
You fail to understand this fact and just red herring about everything else.
You continue to fail to understand, that if TOTP, U2F and Passkeys are NOT stored in Bitwarden vault (or similiar online-capable vault that contains users passwords), then there is NO SINGLE POINT OF FAILURE, since even the whole compromise of Bitwarden vault will not allow attacker to gain access to users internet accounts, because attacker does not have TOTP, U2F and Passkeys.
I dont understand how many times this all have to be told to you so that you can again ignore it.
