I see a number of comments asking why the QR code when the code is usually available; there are a few reasons.
- Anything which simplifies the process of enabling 2FA for people who are not technically savvy is a big win for security. For someone who is non-technically savvy, finding the code and figuring out what to do with it may be confusing.
- The text code does not have all of the information as the TOTP code. If someone is using Bitwarden for 2FA in some places and Authy or Duo in others, they will want the QR code as it provides information about the provider and account name.
- Security best practice is to use 2FA from a dedicated source rather than your password vault. However, someone currently using Bitwarden for 2fa will find migrating difficult. If Bitwarden captures the QR code, it becomes far easier to create a migration workflow if someone wishes to improve their security in the future.
I know the bitwarden team likes user stories, so here are a few.
Bill has heard about 2Factor authentication, but in the past when he has tried to enable it for his bank account he has run into dead ends. He starts the process, but then is shown a strange blocky picture and told to “enter it into his authenticator”. He doesn’t know what that is, he hasn’t had an RSA token since retiring, so maybe he can’t do it any more. But it’s a new year and Bitwarden’s security checkup has notified Bill that he can enable 2factor on MySecureBank. When he clicks for more information, Bitwarden shows how to click the Bitwarden icon, then his bank login, then the “2FA” icon. He follows the instructions on MySecureBank’s account page, and as soon as he clicks the 2FA icon in Bitwarden he sees a new “2-factor Code” under his bank account. Surprised at how easy it was, Bill goes on to enable 2-factor on his Etsy and Instagram accounts.
Greg has implemented Bitwarden enterprise for his SOC, and has been pleased with it so far. They have also begun enabling 2-factor authentication across all of their vendor accounts. Recent red teams have reported a substantial increase in security due in large part to these two measures. However, one vendor in particular only generates a single 2-factor seed per organization, which has created headaches. Whenever one of Greg’s analysts gets a new phone, they lose the seed, and generating a new one invalidates everyone else’s 2-factor codes. At the moment, their solution is to simply generate the new QR code and sync everyone’s authenticator at their weekly standup, but this runs into issues when people are out of office. Greg has considered storing the QR code on his home folder, but loathes the security ramifications.
Greg has heard that Bitwarden now can capture the QR codes, and sees a solution. He can store this (and other problematic QR codes) under a separate account within the organization which only he has access to. Whenever someone gets a new phone, he can log into that privileged account and display the QR code, allowing them to continue using the vendor. It maintains security, because multiple factors are necessary to access the QR code, none of the seed data is stored insecurely, and everyone can use 2factor.
Tom is a lawyer, and knows enough about computer security to know that it’s a problem. He has been following all of the latest advice about complex passwords, vaults, and 2-factor authentication. But he has been reading about concerns of storing 2-factor codes in the vault, and this makes sense; if someone breaks into his vault, shouldn’t the 2-factor accounts still remain safe?
He’s decided to move his 2-factor authentication to a separate app; he has heard that Google Authenticator is good, so he has installed it and opened it on his phone. He has also opened up his bitwarden web vault and pulled up his most important account account. He sees a QR icon next to his 2-factor code, so he clicks it, and Bitwarden informs him that he is about to display the secret 2factor key for this account and to ensure he is in a private location. He clicks OK, and scans the QR code in Google Authenticator, where a new entry appears with the correct icon, account name, and website name. He goes through all of his 2-factor accounts, scanning the QR codes, printing them off (to go in his physical safe), and removing the seed from each one. While Tom still does not sleep well at night-- kept up by visions of North Korean agents sneaking in, cracking his safe, and stealing his Steam 2-factor secret-- he sleeps at least a little easier.