This is not about my bitwarden account but all my individual accounts that have 2fa enabled and have backup/recovery codes. Is it a bad idea to store those backup codes inside bitwarden with what account it goes to? Don’t like saying too many details but you could say if someone got access to my vault, I am already screwed. But if one peppers their passwords so even if someone did gain access to vault, they don’t have full details. Think I need clarification on something. If someone gets a hold of backup codes for an account, would that allow them to bypass the password and 2fa requirement?
So how would one go about storing backup codes completely offline? Guess the only true way is hand writing all those codes? That would take forever to do that. I have thought about typing them in notepad or something, not saving it then printing them but that leaves some type of trail, right? I know hand writing them would be a one time thing, or at least hopefully.
As I am typing this, part of me thinking if I am trusting bitwarden with my account details, then why can’t they be trusted for backup codes as well?
If you are using the Bitwarden TOTP generator function (paid accounts), storing the recovery codes inside BW is reasonable. The recovery codes are usually used to bypass your 2FAs, not to bypass your passwords.
If you are not using the TOTP generator in Bitwarden because of the 2FA-separation-from-password concern, you shouldn’t be storing 2FA recovery codes or passkey in Bitwarden. For recovery codes, an offline password manager, with the password kept outside of BW, would work well. For passkeys, maybe use device-bound passkeys instead.
If you are concerned enough about your vault getting breached (you’ve got to ask yourself how) to use peppering, separating your TOTP 2FA and the recovery codes from your vault seems like an excellent idea. You don’t have to use peppering for such accounts. All your important accounts hopefully have 2FA, one method or another; otherwise, moving to an alternative service may be wise. Maybe the other accounts that don’t have 2FA aren’t important enough to worry about, or maybe peppering is an option.
You should export your BW vault for backups regularly. But if you put 2FA/2FA recovery codes in there as well, you MUST export it regularly and make sure the contents are accessible; otherwise, if you lose your BW vault access, the accounts with 2FA may be irrecoverable. Your passwords can often be recovered by having access to your email.
Not sure if we talking about same thing but when I say backup codes, I am talking about the batch of 10 or so codes that you get when enabling 2FA. When you say TOTP generator, are you talking about an authenticator app on your phone that gives you a code every 30 seconds? I do not have anything related to BW account details stored inside of BW.
While I maybe concerned about vault being breached, well maybe concerned isn’t the right word, paranoid might be better, nothing online is certain. Sometimes I get thinking too much, get going down rabbit holes about certain topics. I feel what I am doing now is much better than what I was doing before I started using a password manager. Don’t know if this is possible but maybe an employee at BW goes rogue and does something to leak vaults or changes code exposes infomation. Not sure how all that works. For those that pepper, they wouldn’t have true password. Don’t expect my vault to be breached but do realize no one is immune to anything. I do feel I have done the right things to secure my vault, strong master password, security key as 2fa, use an email that is only used for BW and nothing else. Do keep a pass protected backup of vault in multiple places. Keep more than one emergency sheet in a safe place completely offline. I have 2FA enabled on any accounts that allow me to. I find it crazy that forums or message boards tend to have stronger 2fa methods than a bank.
We are talking about the same thing. They are usually referred to as backup or recovery codes. They are mostly used to bypass 2FA, possibly except for complicated/opaque account recovery like Gmail/Microsoft accounts.
TOTP generator
Yes, the “Authenticator” apps generate TOTP codes. BW password manager has a field to store TOTP keys/secrets that can be used to generate TOTP codes.
paranoid about vault being breached… nothing online is certain.
Sure. This is “subjective.” I don’t store 2FA info in BW vault either. I don’t expect my vault to be breached, but I prepare knowing that it can be breached by my mistakes, Bitwarden’s mistakes, or just “bad lucks.”
forums or message boards tend to have stronger 2fa methods than a bank.
The (mostly) 30-seconds-valid TOTP codes are generated by an underlying code… @Neuron5569 called that underlying code TOTP key/secret now… I guess, there are some other names for it like
secret key
seed code
Bitwarden calls it authenticator key (see the screenshot below)
That seed code is also contained in a TOTP QR code, if you scan one… as written above, it literally is the seed code for the then generated TOTP code… and that generated code is dependent on (“calculated” dependent on) the current time… → TOTP = time-based one-time-password(s) …
So I have several sites already setup to use TOTP with BW authenticator app. How do I find that seed code or secret key? Is that something that would need to be done when first setting up the TOTP? Not sure if I will add that to my vault or not but more curious than anything.
Though there is no separate “import-TOTP-seed-codes”-function for the Bitwarden password manager, there is an export function for the Bitwarden authenticator app, if you wanted to export all codes: Bitwarden Authenticator – Import and Export | Bitwarden
Guess I didn’t do enough reading lol. Didn’t realize could do a long press on the entry to get to all those settings. Think I will keep the seeds separate from BW. I have already done a backup or exported all my entries on the BW authenticator app and will do so periodically. When you do an export of the auth app entries, can you not do an encrypted export? I only had two options, .json or .csv.
