Does it make sense, from a security perspective, to use Bitwarden as my One-time password generator as well?
I am not sure it makes sense to store BOTH my passwords and 2FA codes in the same place. Although my account is protected by a super secure master password as well as 2FA (using a 3rd party app), if someone got access to Bitwarden they would technically need no further authentication to gain access to any of my other accounts.
I am asking this about attacks against random people rather than someone I know who might already have access to some passwords in the vault
If your life was on the line the answer is obvious. You would then select two separate devices to establish a division of trust. That said; I elect to use TOTP (when U2F isn’t available) via Authy on my Android while signing in on my laptop. Two devices is ALWAYS more secure, but its less convenient for some.
Not so easy for those of us on Linux. To use Authy I have to install SNAP and handle Authy that way ------ > no thanks. If Debian/Arch ever put Authy directly on their repo’s I would use computer based Authy!
Authy ran happily last year for me on a computer which was running Linux Mint. Looked much like other instances and worked the same way. It synchronised with Authy on other computers running Windows and phones. That computer is sick at the moment, but when I get round to it I will restore Authy on it.
Again, via SNAP according to your link and the one to which I was referring. Its not a genuine regular install. I always have my Android next to me anyway. Holding out for a “real” install, LOL>
Actually, I don’t agree that “it makes no logical sense” to use Bitwarden to store TOTPs. Because, in my case, I store my Authy password in my password vault (given that my Authy password is ridiculously long and jumbly). So either way, my password vault is my primary point of failure. In addition, I when I used LastPass, I had Authy for Desktop installed on my computer in the event that I didn’t have my phone on hand.
Yes, I understand the concept that “two-factor authentication” means “something you know” (ie. your password) and “something you have” (ie. your phone). But being required to have my phone with me at all times or else be unable to log in to a site is, in my opinion, annoyingly inconvenient at times.
To my mind, however, 2FA exists to prevent my account being hacked from a remote location or in a data breach. Because honestly, as I said, if someone locally accessed (or hacked) my password vault, they’d have access to my Authy password anyway. Well… assuming they had the 2FA code for Bitwarden which I still store in Authy.
Those are good points. I would point out that you can disable “multi device” access on Authy. Once you have setup YOUR authorized devices to use Authy, turning OFF “multi device” means that NO other device can install and use Authy on your account. I love the trusted device strategy that Authy employs for overall security. Therefore IF someone gained access to your Authy password they still could not use your account. My .02
As long as someone has access to one of their devices they can turn it on to add a new and then turn it off again. This is what I do on the rare occasions I add a new device.