Hello,
I have a feature request, and I believe that Bitwarden is the best company to do it!
TL;DR: Option to securely store TOTP seeds on Bitwarden’s servers, never make them accessible to me again, and only send me the TOTP codes. I’d pay double for this service.
Here’s what I’m looking for
I want to give you (Bitwarden) my TOTP seeds, have you store them securely on your servers with backups, and then only provide me with access to the TOTP codes thereafter; never allow me, or anyone, to access the TOTP seeds. Similar to a YubiKey, I’d never have access to the TOTP seeds again; you’d essentially be a cloud-based YubiKey, but a lot more convenient and resilient.
Here’s why
If either system is compromised, yours (Bitwarden.com) or one of mine, then my online accounts are all still safe because the attacker would need to compromise more than one system (e.g., both my system and yours) in order for the attacker to succeed. If there is infiltration, I can easily reset the necessary passwords or TOTP seeds, and the attacker never gains access to my online accounts.
I should still have access to the codes at your service even if your systems are compromised. Then, for each of my online accounts, I can use the old code to access the online account, reset the seed on my online account, delete the TOTP from Bitwarden, and add the new seed to Bitwarden.
Implementation
In edit mode, there could simply be a button next to the TOTP to “Remove my access to TOTP seed forever” or similar.
Use case
The way this security measure would be most effective is if you have two different Bitwarden accounts: AccountPW for your passwords and secrets. AccountTOTP solely for your write-only TOTP storage. AccountPW is on your primary computer for logging into websites and such. AccountTOTP is on another device, such as your phone or laptop.
Two paid accounts is more revenue for Bitwarden.
I would happily pay an additional monthly fee for this service to increase my security and convenience of having access to my TOTP codes (not seeds) on any of my internet-connected devices without needing to worry about being fully compromised if one system is compromised. Anything else that is cloud-based is basically 1FA. My idea creates true 2FA. The additional service fee paid to Bitwarden would be for the storage, your security efforts, and access to the codes.
Please consider!