Why can't bitwarden itself be TOPT for two step login?

Maybe I am missing something here but…

Why doesn’t the bitwarden client(s) (especially mobile ones) have the ability for user to enter/generate a TOPT key, which is then stored on the client, to be used to generate the OTP code to use on two-step login?

It seems very strange to me that I have to use a third party app to do this, while bitwarden itself already supports TOPT obviously because it can handle it for internal vault items.

Because you setup a race condition. You are trying to log into bitwarden, which with 2fa will require the TOTP token, but the TOTP token is in Bitwarden so you have to login to get to the TOTP token. Now your account is locked out, so Bitwarden does not allow you do this.

lastapass have an seperate app specifically for this reason with an added feature where instead of typing code you could approve it from your mobile device with one click, even from the notification area.

Premium users can setup push-notifications via Duo. However, a security key is somewhat better and it doesn’t rely on a phone contraption having a charged battery and a connection to Internet.

1 Like

The TOPT key doesn’t have to be stored in the vault, just something you can enter into the client (with option to save it locally on the device). It would not be stored inside the vault.

Afterwords… I can just take the key (which I store on my device) and calculate the HOPT to generate the 6 digits.

But i can’t do that with bitwarden, I have to use another app/script, which seems pointless… given that bitwarden has HOPT code in it already.

Bitwarden stores everything in a vault in the cloud. The premium option allows you to store TOTP in vault in the cloud. There is no option to store something locally. In fact, it even destroys any locally cache vault when you logout. However, it does not allow you to store the TOTP for Bitwarden itself in the cloud because you cannot store the 2nd factor in the device you are trying to authenticate using 2FA.

All of the password managers that are cloud based work this way, you have to setup another authenticator app. If you look at LastPass for example, has as a separate app name LastPass Authenticator to handle 2FA call LastPass Authenticator. I would like to know what password manager you have been using that allow you to store 2FA locally. on a mobile device without another app.