Should You Store TOTP Authentication in Bitwarden? 

My Bitwarden Review ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-3Y8O0wyYsiQ.html Bitwarden TOTP Documentation bitwarden.com/help/article/authenticator-keys/ Aegis Authenticator getaegis.app/

I follow by the old saying “don’t put all your eggs in one basket”. In the unlikely event someone would get into your password manager they will get your username, password and TOTP. In my opinion storing your TOTP separately is better. Balancing strong security with convenience is always difficult.

I like the convenience of using TOTP with Bitwarden and when I do, I append a favorite phrase to the back of the randomly generated password so it's a double-blind situation for the password. I feel safer with this little "trick". My Bitwarde/Vaultwarden is self-hosted so I already feel pretty safe, but I think the client side is more vulnerable to a hack.

Yeah, no, also agree with other commenters. Don't store any of your TOTP seeds on the same machine you store your passwords. That's just asking for trouble. Use a separate secure element like a Yubikey.

I don't store my U2F/2FA with my passwords. I also have my password manager setup with U2F on login so for me it make sense to use the hardware keys for all my things. Even with TOTP, I can save those to my hardware keys; I save the seed to both a primary key and backup key

you're right and not crazy to separate totp from your password manager. to contextualise it, it all depends on your threat model. if a cloud based password manager was important then likely bitwarden locally hosted instances would be the way to go. ideally, local encrypted copies are best with a separate topt source. but again. it depends on your threat model since throwaway or collateral accounts can have no valuable impact if those are cloud-based with the 2fa in the same app.

I don't store my 2FA with my passwords, but I agree that it is better than not using it at all. It is also super convenient.

Thanks for the demo and info. I use a combo of bitwarden and authy. Have a great day

Here's another question - where do you store your recovery codes? I bet there are a lot of people who choose not to store their TOTP seeds in Bitwarden but still store their recovery codes there which defeats the purpose.

Storing TOTP at the same place as a user-pass pair makes kind of more like 1 factor. Keeping TOTP in Yubikey for important accesses is a good practice, nice that you have mentioned that.

I've got two yubikeys. One of them always in my Desktop PC and the other one always on my keychain. I usually setup both Yubikeys and Aegis so I've always got one of them ready and the yubikey gives me the convenience of webauth. I only use Bitwarden for stuff I really don't care about.

A law of the universe: more convenient = less secure. Putting pw & TOTP together essentially reduces your security to one layer other than brute-force attacks. Thus, they could maybe add another security layer to the password manager by adding the option of applying a separate password or graphical pattern access for use of the in built TOTP. That would make including both a more reasonable and secure option giving back that full second layer.

Ever since I nearly lost my totp when my phone went on fritz I started migrating to self hosted bitwarden and its totp.

We setup our infrastructure with TOTP pretty much the same way. we have 2 Bitwardens installed in our office. One is behind our firewall and can only be accessed over VPN when not in the office. This houses all our internal and external systems for our business and to access customer systems we have VPN access too and all codes are on a phone. Second one is also self hosted but can be accessed over the public internet via our reverse proxy. This is for generic websites our company uses like forums and things we're not to worried about and codes are in Bitwarden. Our techs HATE using VPN but we always tell them, better safe than sorry

I do store my TOTP in KeePass. But I have also been wondering how smart that is. But if someone breaches my KeePass file I think I'm screwed anywy

I have the same mentalitry Lawrence does. My major sign ins (ie Google, MS, banking, etc) is all in Authy. Everything else is in BW.

How do you back up Aegis, and does that backup require 2FA to access?

The problem with storing both logins and TOTP in bitwarden is that there's no depth in your defense. If bitwarden is compromised, so are your two-factor codes, effectively canceling out the benefit of enabling 2FA in the first place.

Since I use ToTP when I log into Bitwarden, I kind of need a separate ToTP app for the obvious: "Can't log in because I need ToTP key. Can't get ToTP key because I can't log in" So I just separate them, and use my prefered toTP app, authy. Crisis averted.

Thanks ! In the future can you make a vidéo "C2 Password vs Bitwarden" 😉

What I do is I have my Bitwarden handle all my TOTP, but, to access my Bitwarden, you need my password and my two factor which is stored separately (and not in Bitwarden), it also helps that I self host my Bitwarden as well.

Great video. Although my view is essentially the same as yours this video showed me something I was missing. Like you I keep my critical TOTP seeds only on my iPhone using Authy. Actually, since I wear an Apple Watch on a daily basis I also have Authy installed on my watch so that is where I generate a critical code from. Authy does have the option to cloud sync a user’s TOTP seeds between devices but I keep that option switched off so that my seeds are never stored in the cloud. I always set up a secure TOTP manually not via a QR code and I keep a record of the seeds in a heavily encrypted file on my PC so that I can re-enter them into Authy when I replace my phone or watch. Where you taught me a lesson is with 2FA on forums etc. I never even bother setting it up because all my forum accounts have fake personal details and even the email address is a gibberish one with no relation to my real name that forwards incoming mail to my main account so a hack on such a site would really not matter apart from maybe my needing to persuade the mods to unban me depending on what the hackers posted under my name. But of course you are right, if the password manager can conveniently fill in a TOTP code for me then having 2FA enabled really is a why-not? thing and having the TOTP seed for non-critical sites stored in the same place as my password is still one heck of a lot more secure than not having TOTP set at all, and all for no no added inconvenience. Thanks for that really helpful insight.

Can someone tell me what is the answer because I watched the video 2 times and could not hear it anywhere

The thing that I struggle with re: TOTP is about account recovery. Yeah, ideally you wouldn't store the TOTP secret with your password/main secret. The idea is you have it on a physical device, but if I lose the device......I need account recovery.....which is usually email.....but if my email was also using TOTP............yeah. Now I need to account recover my email which is often easier said than done.

My TOTP app is on my smartwatch. It's never connected to the internet. I only turn it off of airplane mode if I neede to add.a new key. I also have 2fa apps on backup phones that are never connected to the internet.

Does using bitwarden from a browser extension deal with keylogging? I know people say “well if there is a keylogger on your system you’re screwed”… but nowadays we have so much closed source stuff on our systems who knows? Like is steam keylogging? Microsoft office?

I don't. I think storing TOTP key along with the password is not the best security practice and somewhat defeats the benefit.

I use a mix. The most important stuff I use a yubikey for, and TOTP with yubikey authenticator when I can't use the physical yubikey on the site. Less important things I put the TOTP in bitwarden cause it's convenient and not important.

I self host my own bitwarden, but my TOTP is all in Authy on my mobile. I have been debating moving all but my bitwarden TOTP into bitwarden but not sure if it is an acceptable risk to take. Given that someone would need my bitwarden master password AND TOTP I think that mitigates the risk somewhat but still the whole "putting all your eggs in one basket" thing is stopping me.

sooo.... where is that part on using qr code for authentication??

The explosion of the problem is IoT authentication. Yes right now you auth with 5, 10 things but what about scenarios where the "things" you own need to interface with many other things?

I haven't heard of TOTP. Is that the tech behind the Authy app? or is it a self-hosted alternative?

quick question, i've set a public ip address to my bitwarden and i'm a bit concerned about the "bitwarden" username that i've created, can i change its password? (the guide tells me to use "bitwarden" as the password, ain't that a bit insecure??

I store most totp codes right in bitwarden. It's common for credentials to leak from sites, potentially giving attackers access to my username/password, but they still don't have the second factor in that case. What if someone gets into my bitwarden database? Well at that point I don't see much difference whether that includes totp or not. I guess in that case it's still safer to keep email account totp separate because that's the main avenue to reset credentials for everything else.

Please do yubikey. My browser keeps freezing every time I get to the insert key part and I have to stop it in task manager to get it back up.

If you don’t use bit warden on your phone you cant login to anything from your phone the?

How do you share TOTP between tech then?

Authy vs Aegis. Wich is better? Why?

I dont use 2FA :)

I have an issue with people saying to always use 2FA because a lot of times sites bleed it to just be MFA, which increases attack surface and many people don't understand what is actually secure. Secure things are inconvenient; storing passwords in the same place as your TOTP nearly obliviates the security added by having both in the first place, of course it stops brute-force and password leaks, but what if your password manager is also compromised? Security is scary; your information being leaked is scary -- people need to understand these things are fundamental about the internet. False senses of security through dishonest advertising and thinking "they won't do that" is why there are so many security problems today. Oauth and common TOTP scares me. It's almost better to have fragmented security systems in case there is a flaw found in popular protocols. Of course this is tin-foil hatty, but caution, at least, keeps one from being blindsided when bad things happen; it's _when_ *not* _if_

Actually, this matter shouldn't have much of a discussion on it at all: Saving the TOTP in the same place completely defeats the purpose of TOTP. You want to have two unique keys to prove your authenticity and placing them together is like leaving all your keys bundled up. Yeah, we do that IRL, surely, but we have the luxury of nOT having to do that, both IRL and especially online.

Having TOTP in the same place as your password kind of defeats the purpose.

I think...and this is my own opinion.....if you are not a super public or critical person (Bill Gates, Some president, etc) just to have a Password manager and 2 step verification in all your accounts, then you are better than the 95% of the rest of the people. A little convenience is good, security can become cumbersome and frustrating. Like when you have a new phone and your Gmail password is 40 characters long in bitwarden.

TOTP is a paid feature of Bitwarden right?

Absolutely don't store sensitive account's TOTP in your PW MNGR simultaneously. Definitely a bad idea.

Before watching: NO!

Really, you shouldn't store your password manager on the same device as your TOTP manager

simply obscure

No.

Just don't put your BitWardan TOTP into BitWardan, that's all.

Don't lose your phone

no. use another TOTP app.

Authy. Free and open source. Mobile and desktop apps. Fully cross platform.

You’re only slightly crazy. Nothing to be concerned about.

Yubico. 'nuff said!

Why is a video for a simple "No!" seven minutes long? 😏

Too many words! Edit for brevity (& clarity). Don't take 7 paragraphs to say, "Rain! Today! Tonight and tomorrow!"

Lol Google 2FA.... you think Google aren't collecting your information.... Think again.

Opinions are like assholes - everyone's got one. Absolutists are always wrong.