Two factor authentication with bitwarden

Does it make sense, from a security perspective, to use Bitwarden as my One-time password generator as well?

I am not sure it makes sense to store BOTH my passwords and 2FA codes in the same place. Although my account is protected by a super secure master password as well as 2FA (using a 3rd party app), if someone got access to Bitwarden they would technically need no further authentication to gain access to any of my other accounts.

I am asking this about attacks against random people rather than someone I know who might already have access to some passwords in the vault

What are people’s thoughts on this?

Another user asked a similar question as well. Here is the link

1 Like

As vachan states, this question has been answered before. Many times before in fact.

You need to decide on what risks you wish to run. 100% security is impossible with anything, particularly things involving computers.

1 Like

If your life was on the line the answer is obvious. You would then select two separate devices to establish a division of trust. That said; I elect to use TOTP (when U2F isn’t available) via Authy on my Android while signing in on my laptop. Two devices is ALWAYS more secure, but its less convenient for some.


You can also use Authy on your Dekstop Computer.
It connects to your Authy Account and you can copy / paste the 2FA Codes there.

Add / Remove account is working too.

Best regards

Personally it makes no logical sense to have both stored in the same account but it’s up to you… I use separate app to keep my 2FA codes.

Not so easy for those of us on Linux. To use Authy I have to install SNAP and handle Authy that way ------ > no thanks. If Debian/Arch ever put Authy directly on their repo’s I would use computer based Authy!

1 Like

Authy ran happily last year for me on a computer which was running Linux Mint. Looked much like other instances and worked the same way. It synchronised with Authy on other computers running Windows and phones. That computer is sick at the moment, but when I get round to it I will restore Authy on it.

1 Like

Again, via SNAP according to your link and the one to which I was referring. Its not a genuine regular install. I always have my Android next to me anyway. Holding out for a “real” install, LOL>

Actually, I don’t agree that “it makes no logical sense” to use Bitwarden to store TOTPs. Because, in my case, I store my Authy password in my password vault (given that my Authy password is ridiculously long and jumbly). So either way, my password vault is my primary point of failure. In addition, I when I used LastPass, I had Authy for Desktop installed on my computer in the event that I didn’t have my phone on hand.

Yes, I understand the concept that “two-factor authentication” means “something you know” (ie. your password) and “something you have” (ie. your phone). But being required to have my phone with me at all times or else be unable to log in to a site is, in my opinion, annoyingly inconvenient at times.

To my mind, however, 2FA exists to prevent my account being hacked from a remote location or in a data breach. Because honestly, as I said, if someone locally accessed (or hacked) my password vault, they’d have access to my Authy password anyway. Well… assuming they had the 2FA code for Bitwarden which I still store in Authy.

Those are good points. I would point out that you can disable “multi device” access on Authy. Once you have setup YOUR authorized devices to use Authy, turning OFF “multi device” means that NO other device can install and use Authy on your account. I love the trusted device strategy that Authy employs for overall security. Therefore IF someone gained access to your Authy password they still could not use your account. My .02

1 Like

Indeed, something Authy recommend people do.

As long as someone has access to one of their devices they can turn it on to add a new and then turn it off again. This is what I do on the rare occasions I add a new device.