You and I are on the same page. Absolutely critical passwords (email, git, work, bank) are not stored in BW, and in the case of work and bank, I know I (or my next-of-kin) can show up in-person and resolve login issues if I lose everything. Everything else goes into Bitwarden, and I absolutely do not want to depend on something I haveâwhether thatâs a device or piece of paper or fingerprint! All of these can be lost!
Plus, Iâm not sure how my account becomes more secure by putting recovery passwords over there, a hardware key over here (and its backup key and own recovery codes in the junk drawer), a TOTP entry on my phone, etc. Might as well tape a post-it note to those infrequently used items with âBitwarden, online password vault, <my master password>â so I donât forget their purpose in two years and toss them in the bin!
What would be best for me would be the regular master password and no 2FA, but send me an email when a login has occurred. It takes less than a second to swipe that away after the fact, but if I see a login email when I havenât just logged in, that would instantly get me suspicious.
If Iâm without any devicesâwhich happens a lot more often than my passwords getting stolenâthen I could still access my vault quicklyâas my email provider sometimes does the âhey, youâre on a new device or at a weird location, can you 2FA real quick??â ordeal.
If someone gets my password and logs in without my knowledge, the email would reveal this. Iâd give very improbable odds of someone stealing my master password plus getting access to my email and being able to delete the login message before I see its notification on my phone or computer. Itâs almost the contrapositive of 2FA; a malicious actor would need âwhat I knowâ and rely on me not having âwhat I usually haveâ.
Beyond that, 2FA is plain inconvenient. Iâm not looking to extend my vault timeout so anyone walking by my unattended computer can explore. Iâm not looking to lock my vault every time I take a pee. Iâm not looking to fingerprint my smartphone every time I want to log in at bbforum.myweirdhobby.com (especially if that site has its own 2FA, as many now do)
Five seconds (ten max) to log in at any site. Longer than that and I might as well go back to a single, shared, insecure password.