loading...
Cover image for Bitwarden: use the most convenient 2FA while staying reasonably safe

Bitwarden: use the most convenient 2FA while staying reasonably safe

borama profile image Matouš Borák ・6 min read

A few weeks ago, I dropped LastPass in favor of Bitwarden as my new main password manager. Overall, I like that Bitwarden is open source, I find its UI cleaner and faster on all platforms that I use and also the Premium plan is cheaper. Nice!

But soon I discovered one feature that really struck me - Bitwarden can store and generate one−time passwords for two−factor authentication! Whoah! This raises many questions and potentially some worries, too, immediately: should I use it? Is it safe enough? Read on!

Bitwarden TOTP interface

Ordinary two-factor authentication

I won’t repeat here that two−factor authentication (2FA) is a good thing and why, I presume you already know that if you’re reading this article and use it at least for your most critical accounts.

The typical scenario when signing in using a mobile app 2FA and a password manager is as follows:

  • you open the sign-in page on a web
  • you let the password manager fill out the sign-in form (some do it automatically upon page load) and submit the form
  • you reach your mobile phone, and:
    • unlock the phone (e.g. via a fingerprint)
    • open the 2FA app
    • sign in / unlock it somehow (e.g. via a fingerprint again)
    • find the corresponding code among all others
    • and type the 6 digit number it shows you into the web sign-in form.

This process soon begins to feel quite cumbersome as you add more 2FA accounts and have to log in more often.

Bitwarden−style 2FA

With the Bitwarden 2FA feature, things get much more convenient:

  • you open the sign-in page on a web
  • you press Ctrl+Shift+L to let Bitwarden fill out the sign-in form, and submit the form
  • a fresh 2FA code (TOTP) is silently generated and copied to your clipboard
  • you locate the 2FA code form field and press Ctrl+V to paste the code from clipboard.

And that’s it, no need to deal with your phone and its 2FA app! How cool is that? And, more importantly, how safe is that?

I should note now that the 2FA codes generation feature is available only in the Bitwarden Premium or Organization plans. The free plan only allows you to store the 2FA secret but not generate the one−time codes. You’ll have to pay a few bucks to use this feature.

Sounds great but is this safe?

First things first: compared to the classic 2FA approach, storing your 2FA secrets and generating one-time codes in Bitwarden is most probably less secure. The whole point of 2FA is that you must use two separate means (”factors“) for accessing your login information to sign in a service and this core requirement is not respected in Bitwarden 2FA because all that you’ll need to access the complete login information is your master Bitwarden password. Technically speaking, this is not a 2FA any more but rather a ”single−factor two-step authentication“, you get your login info in two steps but from a single source.

OK, it’s less safe, but is it safe enough for me?

That’s a tough question. If you are a publicly known person (who is more likely prone to targeted attacks) or are dealing with some highly sensitive information, I would never recommend using this feature. Find a security expert instead and listen to what they have to say to you.

But otherwise, I believe that yes, Bitwarden 2FA feature can be set up in a reasonably secure way for most people and most accounts. You can even leave the real 2FA setup in your phone for your most critical accounts and have Bitwarden take care of the others. Always try to think about the threats you are trying to prevent!

Following are my own assessments of potential risks when using Bitwarden 2FA and some ways to reduce them:

Bitwarden servers get hacked and your passwords stolen and revealed

Risk: very low.

In the unlikely event that your data would be stolen from the Bitwarden servers, I wouldn’t freak out. The data is heavily encrypted locally on all platforms, with a key derived from your master password, and even more on Bitwarden servers. Unless you have a trivial password, it should be f***ng hard to read the data using a brute−force attack.

Someone guesses your Bitwarden password

Risk: low (if you care).

Your master password is the most critical piece of the whole Bitwarden ecosystem. For sure it is a long, complex passphrase following best practices, which resides in your head only, right?

But this is still not enough. If you ever happen to sign in your Bitwarden on a computer that you have limited control of (think a café), can you be sure there are no keyloggers installed? Or that no one is watching behind your shoulders (think even surveillance systems)? You can’t and that’s why it’s absolutely essential to secure Bitwarden itself using a real 2FA.

Connect Bitwarden to anything you find appropriate - an authenticator in your mobile phone, a DUO account, a hardware key, there are quite a few options. I myself use the Aegis Authenticator. Of course, it is important to secure the app itself, too, e.g. by setting up frequent locking and unlocking the app via a fingerprint.

Aegis Authenticator

Also, be sure to deal with the risk of losing access to your 2FA authenticator (lost phone, broken 2FA app, …)! A common countermeasure is to print out the recovery code on a piece of paper and store it somewhere safe.

Someone sneaks into your live Bitwarden session

Risk: reasonably low (if you care).

This is easier to leave unsecured than it seems and it gets worse the more different ways you use Bitwarden in. E.g. I use the Bitwarden browser extension and the mobile app. How long do these sessions stay live and unlocked? How easily are they accessible by someone unexpected? Think about how easy is to leave your computer unlocked (with live Bitwarden open in your browser) during a lunch−break or forgetting your phone (with live Bitwarden app session) somewhere. All Bitwarden apps can be configured for auto−locking / auto−logout but it is you who must configure them that way!

For example, I use the following setup:

  • an automatic vault timeout which locks the Bitwarden browser extension after 15 minutes of inactivity; a PIN must be used to unlock it
  • a similar timeout in the Bitwarden mobile app with biometric unlocking (my fingerprint); and, of course, the mobile phone itself gets locked, too (can be unlocked via biometry or a gesture).

Unlocking Bitwarden browser extension

That way you leave the live session unlocked for only a short time so you’d have to be attacked quickly and by someone who knows what to look for.

Someone steals your computer or phone

Risk: reasonably low (if you care).

Unless you are unlucky, you are pretty safe − if you followed the recommendations above, that is. The Bitwarden vault should be locked after a few minutes on the device and the probability of someone successfully breaking into the locally encrypted data is very low if you have a good master password.

There is one notable caution though: currently there is no way that I know of to prevent a certain device from accessing your Bitwarden vault. There is no list of allowed devices (on the contrary, such a thing was in LastPass) and no way to de−authorize them. You must resort to other ways, e.g. the ”Google find my device“ service in case of an Android mobile phone (if you have that service enabled) to track, lock or wipe the device. Similar solutions exist for laptops etc.

Summary

If you followed all the way down here, congrats, I believe you have a reasonably secure and very quickly usable „2FA“ set up!

And let’s sum up the basics again:

  • if you are an important person, don’t use this!
  • if your accounts cover highly sensitive data or important threats (your money in a bank or something like that), don’t use this!
  • use a very secure master password that only you know
  • use a real 2FA for Bitwarden itself
  • use short timeouts for all Bitwarden apps
  • guard your belongings, physical as well as digital ones (e.g. your email account).

I’m eager for your comments if you have any. Stay safe! 🤞

Posted on by:

borama profile

Matouš Borák

@borama

CTO at NejRemeslnici, Ruby on Rails developer. Dad of two. Fond of kickbikes.

Discussion

pic
Editor guide
 

Thanks for the article Matous!

I'm also a big fan of BitWarden but I think I also violated the 2fa rule since I store my 2fa recovery keys in BitWarden 😅

Even if I use Aegis for OTP I guess in the end I'm relying on BitWarden to protect my logins

 

Yep, keeping recovery codes in Bitwarden seems to have the same risks. I do that too ☺️.

 

I recently purchased Bitwarden Premium for this feature and to support them for an awesome product. I added the TOTP for a service who's session timeout is relatively short so having the TOTP on my PC is fantastic, I no longer need to reach out for my phone multiple times a day. I managed to convince myself that there are still multiple factors at play: my Laptop is still a physical device in my possession, which has a password that is different from the Bitwarden password and both automatically lock on idle. Having the codes on my Laptop is no different from my phone anyway: as both the password database (Bitwarden) and the OTPs are on there...
Security ends up being compromised when it becomes difficult or inconvenient for the user as we know - there are many post-it notes with passwords stuck to monitors... As long as Bitwarden remains convenient and more secure than a post-it 😉 I'll continue to use it as it helps me get my work done faster 😃

 

Hi Graham, I see what you mean and agree, especially with the claim that there is always a price for inconvenience (too much hardening, e.g.)!

Maybe just, I still think there is a slight difference in the classic 2FA on your mobile as both Bitwarden and the TOTP auth app should require some (and ideally separate / distinct) authentication factors (e.g. password and fingerprint) whereas if you have it all in Bitwarden, then password (or hypothetical hacking into the BW mobile app) is enough to get access to everything.
But, all in all, I think the risk of having all eggs in one basket is very small for me and my digital assets.