Using the TOTP within Bitwarden risky?


I appreciate the convenience of having a two-factor authenticator integrated into Bitwarden. However, I have concerns about the potential risks associated with keeping it in the same place as passwords.

My concern is that if someone was able to steal or crack my master password, they would also have access to my 2FA, rendering it useless.

Do you think I’m overthinking this, or is this a valid concern?

I think it is a valid concern. Some people do choose not to keep TOTP secrets in their password managers. I personally choose this strategy.

OTH, keeping it apart from BW will complicate your backup/disaster recovery strategies. So, separation is probably not for “typical” users where using a password manager is already complicating their lives albeit making it safer. In this case,

  1. Use a non-phishable 2FA, like a Yubikey, hopefully exclusively (with written down 2FA recovery code) with BW. WebAuthn 2FA is now free in BW. Use such 2FA everywhere possible.
  2. Use strong randomly-generated master password/passphrase
  3. Have backup / disaster recovery strategies
  4. Have good computer/internet hygiene to reduce getting phished / installing malware, etc.

@Nacho6380 Welcome to the forum!

To provide a counterpoint to your and @Neuron5569’s concerns (which are shared by many):

  • Non-local attacks (i.e., attacks against the cloud-hosted vault) can be completely thwarted by using a unique, uncrackable master password (i.e., a randomly generated four-word passphrase).

  • The risks of a master password leak (e.g., by “shoulder surfing” or social engineering) can be mitigated by securing your Bitwarden account with 2FA; using FIDO2/WebAuthn for your Bitwarden 2FA also protects against phishing.

Thus, the main risk to your vault is an attack against the local device on which you are using Bitwarden, for example, by malware. In this context, we can conclude that unless your authentication app is sufficiently separated from your Bitwarden app (i.e., they are installed on completely different devices), then it is likely that the attacker who gained access to your Bitwarden vault would also have been able to access your TOTP authentication app.

My own approach is to use FIDO2/WebAuthn with a hardware security key for my Bitwraden 2FA, and for any other service that supports this protocol; everything else has TOTP as the 2FA, using Bitwarden Authenticator.