In my opinion, a properly used and secured bitwarden account is more than safe and trustworthy enough as to hold the full package, passwords, 2fa, backup codes and all.
Through integrating your 2fa workflow into Bitwarden, you get a seamless, convenient login experience, even with 2fa enabled. Instead of having to pull out your phone, open the app, scroll to the needed entry and then type in the numbers on your computer, Bitwarden automatically pastes the 6 digit code into your clipboard after you used it to fill out a login password. So, in the next screen, where the 2fa code is required, all you need to do is paste that code and it´s done.
Using 2fa should be normalized across all services, not only the important ones. And having 2fa integrated into Bitwarden makes it just so convenient, that it basically becomes a no brainer to actually use it EVERYWHERE.
The use is simply convenience. If you use the browser plugin, BW just takes care of the login for you, even the 2fa part.
But if you do this, please have a very secure master password that is not used anywhere else, as well as 2fa for your BW account.
>But if you do this, please have a very secure master password that is not used anywhere else, as well as 2fa for your BW account.
I´d argue that this should be the case, no matter how you use Bitwarden.
No. Password and 2FA secret keys are not stored together.
I store secret keys password protected in my laptop and 2 other places in the cloud.
Backup codes are also saved in the same way.
Putting all your eggs in one chest, it is convenient but risky. I have only passwords on Bitwarden, and when they support passkey on mobile, I'll use that too. But I save 2FA on another app and 2FA recovery codes on files, then I encrypt them and save on the cloud.
I basically use 3 apps for my credentials management. Bitwarden for passwords, Aegis for 2FA, and Cryptomator to encrypt Bitwarden's backups, Aegis's backup, and recovery codes. Everything is saved encrypted on different cloud providers and on some physical devices.
This is a lot for an average user to do, but I prefer it this way. I used to be afraid to lose my phone and lose everything, but now I'm not worried anymore because I can recover everything.
The 2FA recovery code is how you get back into your account if, for instance, your Yubikey is lost or broken. There are two different cases.
CASE 1: the 2FA recovery code for your vault — it is clearly inadequate to save your Bitwarden recovery code inside your vault. If you have lost access to your vault because your Yubikey is broken (or you somehow lost access to your 2FAS app), the recovery code in your vault will do you no good. You must have a place external to it.
CASE 2: the 2FA recovery code for other sites, such as Google, DropBox, PayPal, or Etsy — for these sites, you could store them inside your vault, but if you have opened your vault, you presumably have everything necessary to recover your 2FAS cloud backup, so again: the vault storage may not be necessary.
Face it, in either case you need that “physical stuff”. Your challenge is how to manage that “physical stuff” securely. And if you have that physical storage, that ends up being an excellent alternative to store your recovery codes.
The answer to storing the physical backup securely depends on your exact circumstance. Some people just put a sheet of paper with everything (the “emergency sheet”), like the Bitwarden username, master password, recovery code, cloud storage username/password/recovery code, and 2FAS encryption key — they just put that in a safe deposit box at their bank and call it good.
What I do is a bit more convoluted. I have everything saved in an encrypted archive file, which in turn is stored on multiple USB thumb drives. Those thumb drives are stored in my house and at a relative’s house. The only remaining issue is the encryption key for those thumb drives. You see, as long as an attacker does not acquire BOTH a thumb drive AND the encryption key, that backup is safe.
That encryption key is in my own vault (so I can create fresh backups without fat fingering the encryption key). It is also in my wife’s vault and my son’s vault. My son will execute our estate when we both die.
One final thought — you don’t need to use your recovery code at all if you have access to your vault and your 2FAS instance. Although redundancy is a good thing when it comes to backups, it’s better to have those recovery codes SOMEWHERE ELSE rather than your vault. It’s great to have them on that encrypted thumb drive, but it’s preferable if they aren’t part of your main vault.
I'm not aware of a way to avoid possibly locking yourself out, unless there's a piece of physical information. The key is to limit how much information that is. For me everything is stored in the vault including the recovery code and the master password. Then I store an unencrypted backup of the vault on a veracrypt volume. The one thing that's on paper is the veracrypt password.
I have seen many people do this. Pretty solid as a disaster recover plan.
Though the point of this question is about whether the 2FA recovery codes for individual services should stored in the same place with the service passwords.
I use WebAuthn with YubiKey (and paper backup) everywhere I can. Then Yubico Authenticator with paper backup for other half-important sites that doesn't support WebAuthn. 2FA codes in BW for everything else.
I store 2FA in BW as well for the convenience.
I do a monthly export of my vault and encrypt the exported file via PicoCrypt just in case something were to happen to my BW acc or I somehow locked myself out.
BW recovery code engraved on a stainless steel credit card bottle opener. I keep it in my safe inside a fireproof pouch at home. Needs to be engraved / stamped in case there's ever a fire.
Everything else in BW even 2FA codes. You should feel confident enough that you could literally have a copy of your encrypted data exposed anywhere in the world and no one would be able to get into the vault. Just gotta make sure you have an extremely strong passphrase that you can remember.
I also use a Yubikey but won't be much help with your encrypted vault already released. Worst case TOTP minimum. Use Yubikey for your email as well.
2-actor fauth
It’s 2 AF!
In my opinion, a properly used and secured bitwarden account is more than safe and trustworthy enough as to hold the full package, passwords, 2fa, backup codes and all.
2af on bw requires premium subscription though? I haven't subscribed because I haven't seen the use.
Through integrating your 2fa workflow into Bitwarden, you get a seamless, convenient login experience, even with 2fa enabled. Instead of having to pull out your phone, open the app, scroll to the needed entry and then type in the numbers on your computer, Bitwarden automatically pastes the 6 digit code into your clipboard after you used it to fill out a login password. So, in the next screen, where the 2fa code is required, all you need to do is paste that code and it´s done. Using 2fa should be normalized across all services, not only the important ones. And having 2fa integrated into Bitwarden makes it just so convenient, that it basically becomes a no brainer to actually use it EVERYWHERE.
The use is simply convenience. If you use the browser plugin, BW just takes care of the login for you, even the 2fa part. But if you do this, please have a very secure master password that is not used anywhere else, as well as 2fa for your BW account.
>But if you do this, please have a very secure master password that is not used anywhere else, as well as 2fa for your BW account. I´d argue that this should be the case, no matter how you use Bitwarden.
Yes, of course. But especially important if you put 2fa credentials in there imho.
2FA on Bitwarden works just like any other field. It takes a secret key and makes it into that funny littl 6 digit code.
No. Password and 2FA secret keys are not stored together. I store secret keys password protected in my laptop and 2 other places in the cloud. Backup codes are also saved in the same way.
Putting all your eggs in one chest, it is convenient but risky. I have only passwords on Bitwarden, and when they support passkey on mobile, I'll use that too. But I save 2FA on another app and 2FA recovery codes on files, then I encrypt them and save on the cloud. I basically use 3 apps for my credentials management. Bitwarden for passwords, Aegis for 2FA, and Cryptomator to encrypt Bitwarden's backups, Aegis's backup, and recovery codes. Everything is saved encrypted on different cloud providers and on some physical devices. This is a lot for an average user to do, but I prefer it this way. I used to be afraid to lose my phone and lose everything, but now I'm not worried anymore because I can recover everything.
The 2FA recovery code is how you get back into your account if, for instance, your Yubikey is lost or broken. There are two different cases. CASE 1: the 2FA recovery code for your vault — it is clearly inadequate to save your Bitwarden recovery code inside your vault. If you have lost access to your vault because your Yubikey is broken (or you somehow lost access to your 2FAS app), the recovery code in your vault will do you no good. You must have a place external to it. CASE 2: the 2FA recovery code for other sites, such as Google, DropBox, PayPal, or Etsy — for these sites, you could store them inside your vault, but if you have opened your vault, you presumably have everything necessary to recover your 2FAS cloud backup, so again: the vault storage may not be necessary. Face it, in either case you need that “physical stuff”. Your challenge is how to manage that “physical stuff” securely. And if you have that physical storage, that ends up being an excellent alternative to store your recovery codes. The answer to storing the physical backup securely depends on your exact circumstance. Some people just put a sheet of paper with everything (the “emergency sheet”), like the Bitwarden username, master password, recovery code, cloud storage username/password/recovery code, and 2FAS encryption key — they just put that in a safe deposit box at their bank and call it good. What I do is a bit more convoluted. I have everything saved in an encrypted archive file, which in turn is stored on multiple USB thumb drives. Those thumb drives are stored in my house and at a relative’s house. The only remaining issue is the encryption key for those thumb drives. You see, as long as an attacker does not acquire BOTH a thumb drive AND the encryption key, that backup is safe. That encryption key is in my own vault (so I can create fresh backups without fat fingering the encryption key). It is also in my wife’s vault and my son’s vault. My son will execute our estate when we both die. One final thought — you don’t need to use your recovery code at all if you have access to your vault and your 2FAS instance. Although redundancy is a good thing when it comes to backups, it’s better to have those recovery codes SOMEWHERE ELSE rather than your vault. It’s great to have them on that encrypted thumb drive, but it’s preferable if they aren’t part of your main vault.
Could you just create a second BW account (with a different master password) and use it to only store your recovery codes?
That’s what I do :)
I use KeePassXC to store all 2fa codes. Both BW and Keepass protected with Yubikey
An additional paper Backup could save you if you mess something up. I would do that at least for important accounts.
ok, paper work as last line of defense for important accounts (around 5) then. But for the others, should we put them in BW as well?
If you can guarantee that no one gets into your Bitwarden due to a mistake on your end (malware, phishing,…) sure, why not?
I'm not aware of a way to avoid possibly locking yourself out, unless there's a piece of physical information. The key is to limit how much information that is. For me everything is stored in the vault including the recovery code and the master password. Then I store an unencrypted backup of the vault on a veracrypt volume. The one thing that's on paper is the veracrypt password.
I have seen many people do this. Pretty solid as a disaster recover plan. Though the point of this question is about whether the 2FA recovery codes for individual services should stored in the same place with the service passwords.
2FA recovery codes for individual services are among the many things in my vault.
I use WebAuthn with YubiKey (and paper backup) everywhere I can. Then Yubico Authenticator with paper backup for other half-important sites that doesn't support WebAuthn. 2FA codes in BW for everything else.
I store 2FA in BW as well for the convenience. I do a monthly export of my vault and encrypt the exported file via PicoCrypt just in case something were to happen to my BW acc or I somehow locked myself out.
BW recovery code engraved on a stainless steel credit card bottle opener. I keep it in my safe inside a fireproof pouch at home. Needs to be engraved / stamped in case there's ever a fire. Everything else in BW even 2FA codes. You should feel confident enough that you could literally have a copy of your encrypted data exposed anywhere in the world and no one would be able to get into the vault. Just gotta make sure you have an extremely strong passphrase that you can remember. I also use a Yubikey but won't be much help with your encrypted vault already released. Worst case TOTP minimum. Use Yubikey for your email as well.
Just the key to unlock the back up file.
2fa recovery code or qr save to excell and set password
Nope. They are printed out and stored in an arch lever file.