On a recent episode of Security Now, Steve mentioned using email as a single factor for authentication since most sites have an “I forgot my password” link. This got me round to thinking about storing my 2FA secrets in Bitwarden.
I know you’re putting all your eggs in one basket. The way I see it is that, if the contents are both encryped, then does it matter, since the attcker would have to decrypt them both separately. I suppose the other thing wo\uld be that, if someone needs emergency access to your passwords and you’re not around to supply the 2FA code, they’ll be out of luck
I seem to remember Steve mentioning this but can’t remember what the conclusion was that he and Leo came to
They are both encrypted using the master password or secure key - I’m not sure exactly what Bitwarden uses, I use 1Password, which uses a combination of key and master password.
That said, if the master password is secure enough for mouse people’s requirements.
I’ve been considering this, especially since Authy is discontinuing their desktop apps in the coming weeks (they changed the date from August to March), but I’m not sure I want to keep everything in the same app. But then again, for work we use a cloud based product to store customer passwords that also stores the OTPs (for those that use that method) so we don’t need a million accounts.
I kind of recall Steve being against it purely for the “all eggs in one basket” problem, but I may be mistaken.
I keep my TOTP codes in my password manager. I think TOTP codes are an effective authentication method not due to their being a second factor necessarily, but more due to the fact that they can’t be easily guessed, re-used, shared, etc - basically all the problems with a legacy password.
I wish sites would give the option to utilize TOTP auth as a primary and single factor rather than it being pigeon-holed as part of the MFA chain.
Steve and I have both commented that it’s risky due to the single source of failure, but in a recent show he also said it’s probably ok and if it means more people will use 2FA it’s good.
I still use 2FAS for my two-factor, separate from Bitwarden, but as long as you’re using a long password as your master password combining the two is probably fine.
I very nearly lost access to everything when an MS Authenticator backup restore failed after a phone reset. So at the very least, keep a paper copy of your password manager’s backup 2FA codes.
I do keep the rest in Bitwarden, though. Maybe I should revert to paper copies of everything.
That’s also partly what I’m thinking. I recently had my phone stolen although had backups of my 2FA codes… although now I have to reorganise stuff. I suppose that storing in Bitwarden will mean I have access to them everywhere so on my laptop as well as phone