Presumably the value of 2FA is if a bad guy hacks/compels you to give your Bitwarden master password. But if someone has stolen/found your mobile and has also obtained your master password, any 2FA codes would simply be sent to the same mobile the bad guy is holding in his hand - no? So in that case, what good is 2FA on a mobile?
Am I missing something here?
I wouldn’t recommend using SMS for 2FA unless that’s the only option available. It’s better than not having 2FA but it’s the least good option.
You are definitely missing something, maybe understanding the more powerful 2FA available on BitWarden. I use U2F on my mobile phones. I could hand you my phone and then tell you my master password, BUT if you didn’t also possess my U2F stick to tap on the Android’s NFC you would NOT be able to access my file. SMS is not allowed on my BW access.
Thanks. I’m using the BW suggested “Authy” 2FA, but presumably that’s no better than SMS or email 2FA, since the Authy app also resides on the phone. As a minor improvement, I guess I could make the Authy icon hidden.
Authy is perfectly fine for 2FA - it will protect web and desktop access to your vault. If you have a recent smartphone then you probably have an additional authentication method of fingerprint to unlock your phone. (Authy can also be set to require a fingerprint or PIN.)
I use Authy for several accounts, which don’t offer U2F. Danmullen is correct in that you can utilize a PIN and after several errors (hacking attempts to open) Authy will force major time before any further attempts to access Authy is granted. I do however only use Authy on a separate device from the one I am logging in with. e.g. My laptop while I get the Authy needed codes on my Android. You can use an “unconnected” phone for Authy. It doesn’t have to be one that even receives calls anymore. As long as the phone has the correct time you can use Authy fully safely by using two devices to log in. The regular way is pretty safe but the two device way is better security wise. U2F is better than all.