Discussion on: Bitwarden: use the most convenient 2FA while staying reasonably safe

grahambrown11 profile image
Graham Brown

I recently purchased Bitwarden Premium for this feature and to support them for an awesome product. I added the TOTP for a service who's session timeout is relatively short so having the TOTP on my PC is fantastic, I no longer need to reach out for my phone multiple times a day. I managed to convince myself that there are still multiple factors at play: my Laptop is still a physical device in my possession, which has a password that is different from the Bitwarden password and both automatically lock on idle. Having the codes on my Laptop is no different from my phone anyway: as both the password database (Bitwarden) and the OTPs are on there...
Security ends up being compromised when it becomes difficult or inconvenient for the user as we know - there are many post-it notes with passwords stuck to monitors... As long as Bitwarden remains convenient and more secure than a post-it 😉 I'll continue to use it as it helps me get my work done faster 😃

borama profile image
Matouš Borák Author

Hi Graham, I see what you mean and agree, especially with the claim that there is always a price for inconvenience (too much hardening, e.g.)!

Maybe just, I still think there is a slight difference in the classic 2FA on your mobile as both Bitwarden and the TOTP auth app should require some (and ideally separate / distinct) authentication factors (e.g. password and fingerprint) whereas if you have it all in Bitwarden, then password (or hypothetical hacking into the BW mobile app) is enough to get access to everything.
But, all in all, I think the risk of having all eggs in one basket is very small for me and my digital assets.