TOTP keys in Bitwarden

Currently reading
TOTP keys in Bitwarden

L

leriak

Media
82
34
I've been using bitwarden for a while now (maybe a year?) and I just recently realized that it can store TOTP keys for 2 factor authentication.

Just curious, does anyone use this functionality?

IMO it doesn't seem very good practice to put passwords and the means to obtain 2FA codes on the same bucket...
 
leriak said:
Just curious, does anyone use this functionality?

IMO it doesn't seem very good practice to put passwords and the means to obtain 2FA codes on the same bucket...
Click to expand...
I use it for some services that are not critical. But in general, yes.
 
Telos said:
Specifically, what is the risk vector?
Click to expand...
That if someone finds a way into your vault they will have the info necessary to log into your accounts with 2FA active, while if the TOTPs are somewhere else they won't.

So, yes, you can argue "how likely is someone accessessing your vault?" and "it's way better to have 2FA stored with the passwords than not having 2FA in the first place"... and I'd agree.
But I still think that storing passwords and TOTP together is less secure than having them separate, although it is extremely convenient.
 
leriak said:
That if someone finds a way into your vault they will have the info necessary to log into your accounts with 2FA active, while if the TOTPs are somewhere else they won't.
Click to expand...
The vault is on my NAS. It is protected with a massively long mixed character password and a fake email of similar complexity. I also have a 2FA app on my phone, which is probably exposed to greater vulnerabilities and deceptive apps. It's likely a coin toss of which is safer. Maybe a YubiKey... but then I would have to trust its maker :eek:

But no worries... I'm protected...

ezgif.com-gif-maker.png
 
It works well, you can do it but it’s pointless from 2FA point of view. If you store TOTP and password in the same place you lost the security of the second factor. 2FA exist to enforce the security of the authentication adding a second mean to that process, that mean certify that you’re exactly the owner of that account that is trying to login. If you get compromised the attacker will have all the tools to access your account.
leriak said:
I've been using bitwarden for a while now (maybe a year?) and I just recently realized that it can store TOTP keys for 2 factor authentication.

Just curious, does anyone use this functionality?

IMO it doesn't seem very good practice to put passwords and the means to obtain 2FA codes on the same bucket...
Click to expand...
 
ilbarone87 said:
It works well, you can do it but it’s pointless from 2FA point of view. If you store TOTP and password in the same place you lost the security of the second factor.
Click to expand...
So if I have TOTP app on my phone, you're saying I can't store passwords on my phone? So I should carry a pocket notebook with all my passwords? What in heaven's name is one to do? Commit 24-character passwords to memory? :ROFLMAO:
 
one-eyed-king said:
I protect mine with a physical yubikey: the first login requires the yubikey to be plugged in into usb or activated by NFC. The yubikey is on my keychain.
Click to expand...
I've been meaning to get Yubikey for some time, but something in the back of my mind keeps me from buying one and I can't tell exactly why... maybe it is the little mean cheap person in me who thinks it is totally overkill for a regular user like me...

Do you use the key in every account where it can be used or just for a few ones and then TOTP? And do you use it in addition to- or instead of- TOTP?

Telos said:
The vault is on my NAS. It is protected with a massively long mixed character password and a fake email of similar complexity. I also have a 2FA app on my phone, which is probably exposed to greater vulnerabilities and deceptive apps. It's likely a coin toss of which is safer. Maybe a YubiKey... but then I would have to trust its maker
Click to expand...
Yes, I agree with your point. I'm not saying that if your account is secured it is an aberration to do it, my point is just that it seems funny in my mind to store those things together.
 
Telos said:
So if I have TOTP app on my phone, you're saying I can't store passwords on my phone? So I should carry a pocket notebook with all my passwords? What in heaven's name is one to do? Commit 24-character passwords to memory? :ROFLMAO:
Click to expand...
Technically that’s it. Anyway I was speaking about the condition where you store password and TOTP next to it in BW.
 
Telos said:
So if I have TOTP app on my phone, you're saying I can't store passwords on my phone? So I should carry a pocket notebook with all my passwords? What in heaven's name is one to do? Commit 24-character passwords to memory? :ROFLMAO:
Click to expand...
You can do it. 1st password: 1,2,3….,23,24. See all those commas will throw anyone off 😂😂😂😂
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

L
DSM 2-stage login vs bitwarden autocomplete
It would be nice to see this fixed at the Community site as well.
Replies
1
Views
1,556
Telos
Telos

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top