I understand the point of Bitwarden is to only have 1 password for everything but the point of a TOTP in theory is to require a second piece of information.
I think Bitwarden should have the option to allow users to protect TOTP codes with a second, separate, master password so it can effectively function as an independent TOTP manager
Not really. The idea is to have to remember 1 password only so that “everything” can have a unique password you do not have to remember.
Furthermore: The TOTP is the second factor which is protected by the password you use for your Bitwarden account. And in case that this will make you feel better: Bitwarden is about to introduce the “Master password reprompt”. For details on this see here:
What do you guys think?
If this is that important, to me it looks like it’s better to use a separate solution for your 2FA codes?
Yep I do agree in a way - at least regarding the added security of 2FA.
I do just personally really like the idea of having everything in one place, which is my reason to suggest this kind of “midway solution” 
I do get your point though!
The “Master password reprompt” is different from a second, different master password that the OP was asking.
If it’s just reprompting the same master password again, then the TOTP is no longer the second factor.
I would like to have this feature too, so that I don’t need to create two Bitwarden accounts (one for 1st factor passwords, one for 2nd factor TOTP tokens). I know I need to remember two master passwords anyway, but at least I don’t need to register another email address just to create the 2nd Bitwarden account and pay twice.
Sadly this is archived and I cannot vote for it.
Can this be un-archived in order to allow voting?
I wouldn’t place my 2fa into bitwarden without this feature. Use of 2fa inside of bitwarden should be protected by a separate password – and bitwarden should encourage its use from a different device. In other words, when on your PC and trying to log into a website, you should use your bitwarden browser extension to fill in the password, then use the bitwarden on your phone to get the TOTP code! That way, if there is a keylogger on your PC, the worst they can do is get into your bitwarden password vault, but not the 2fa. (yes this requires some discipline on the user’s part, but bitwarden could strongly suggest this method within its interface somehow. At least provide a warning of some kind, because users, including myself never think of these things!)
Sidenote: I changed the title of this Feature Request from “Separate Password for 2FA (Verification Codes/TOTP/Authenticator Keys)” to “Separate password for access to the integrated authenticator (2FA TOTP codes / Authenticator Keys)”.
I have merged two related threads (“Separate password for access to the integrated authenticator” and “TOTP - protect with second master password”).
Furthermore, the topic title has now been changed to “Unlock the integrated TOTP authenticator separately from the password manager” in recognition of the fact that some users may prefer other unlock methods than entering a second password, and the fact users may have different preferences for how often the authenticator unlocking mut be performed (hence, it is likely that this feature will need to include configurable timeout settings for the authenticator locking).
At the moment the master password alone decrypts every item in an unlocked vault. 2-step login (YubiKey, WebAuthn passkey, etc.) is enforced only when signing in to the server, not when accessing TOTP secrets or stored passkeys locally. If an attacker obtains the vault file and the master password—or if malware runs while the vault is open—every 2FA secret becomes single-factor.
Add an optional “Secure 2FA items with an actual second factor” toggle:
This keeps the current cloud-sync and autofill workflow; only the sensitive 2FA sub-vault needs the additional touch.
@alexkoro Welcome to the forum!
Your request was substantially similar to this existing feature request topic, so I have merged it. I suggest reading the comment directly above yours for a clear picture of the scope of this feature request topic.
You have additionally mentioned protecting passkeys using the same approach. It might make sense for the scope of this feature request topic to be broadened to also include passkeys stored in the vault (and if passkeys becomes a recurring theme in the discussion here, then the topic title may be revised to mention passkeys). On the other hand, passkey standards require them to support user verification, which would provide the “second factor” that you are requesting. Bitwarden had briefly implemented passkey user verification in version 2024.6.0 last year, and will presumably re-implement this again in some form in the future — there is a relevant feature request here:
Thus, in the end, it may turn out that the function for protecting stored passkeys will be separate from any new feature to separately encrypt TOTP keys in the integrated authenticator.