Nice little feature of Bitwarden:

Check what services you are registered to have 2FA options and check the instructions on how to enable them.

I wouldn't recommend to store your 2FA credentials along with te passwords in Bitwarden, but checking once a year, where you can set up new 2FA is definitely recommended!

@sheogorath I do store my 2FA creds in Bitwarden, the convenience outweighs the risks for me. 👌🏻

That being said, Bitwarden reports are great! They’re reserved for Premium subscribers though but $10/yr is so ridiculously cheap 🤗😍

@Crocmagnon Oh, I wasn't aware it's a premium feature. Anyway, yes, I can understand why people want to store 2FA along passwords, but still can't recommend it, because it takes the 2FA out of 2FA :D

I use a different system to achieve the goal. For one, I use AndOTP which allows easy and secure backups, then again, I store my backup codes in an offline password safe. And for convenience, if possible, I use FIDO2/U2F instead of TOTP.

I noted some parts down a while ago:

@sheogorath your system seems quite robust! 😊

> because it takes the 2FA out of 2FA :D

Well I wouldn’t be so sure. If for example your password leaks because the service did a bad job protecting it, 2FA still protects you. Unless the 2FA secrets leak alongside the password DB but in this case it doesn’t matter where *you* store them.

@sheogorath Also if for some reason you reuse your password (don’t do that), and a reused version is leaked, you’re still protected by 2FA, wherever it’s stored 😊

IMO the only time your 2FA secrets are not safe in your vault is if your vault itself becomes compromised, but I’ll have bigger problems to take care of it this happens.

At least that’s *my* threat model, I don’t expect everybody to agree 🙂


@Crocmagnon the goal of 2FA is never to protect from service compromise. It's always client compromise.

And client compromise in case of a website can be either your browser which is not that uncommon or the browser extension, which we have seen a lot in the past, just look at LastPass and Project Zero a few years ago. Maybe your entire OS is compromised.

And that's the risk you have to assume. And that's why you should use 2 very different devices for proper 2FA.


I would disagree. 2FA doesn't protect against a compromised client. It just adds another layer to the authentification process for the service to make sure that you have not only the right credentials (could be leaked), but also the correct 2FA token. This makes it way more difficult for attackers.

A compromised client could ask for your 2FA token and forward it instantly to the correct site to lock you out of your account.


Small addition: 2FA protects against keyloggers and shoulder-surfing on the client system. Just for the protocol :)

@hejowhat @Crocmagnon All in all, yes. But not always is the goal a full account takeover. There is actually not much benefit for an attacker on a compromised client by locking you out of your account. They can just use your session to stay undetected and mix up with legitimate use. Stealing your credentials however, if both are present already, still be lucrative. Especially with password safes it's a keys to the castle situation.

I mean, they lock you out to gain some more time to do their shenanigans. The actual damage depends on the service that got compromised. I could imagine that Bitwarden is the worst-case scenario.


Sign in to participate in the conversation
Sheogorath's Microblog

This is my personal microblog. It's filled with my fun, joy and silliness.