4

Bitwarden (as an example) allows you to store your TOTP tokens in it. That is: you can use the mobile app to scan the QR code that (e.g.) Amazon AWS gives you, and then it'll generate TOTP codes.

So far, so exactly the same as Google Authenticator and similar.

Bitwarden synchronises your "vault" (to their servers by default; you can install your own server), including the TOTP ... stuff. This means that your credentials (including TOTP codes) are available on all of your associated devices.

Is that a good thing, from a security point of view? It's definitely convenient -- I just got a new phone, and resetting all of my MFA tokens is ... not a pleasant use of my time.

Roger Lipscombe
  • 2,307
  • 3
  • 14
  • 20
  • 2
    Unfamiliar with Bitwarden/storing TOTP in password managers in general. Sounds like anybody with access to your Bitwarden account has access to your TOTP codes? While this isn't ideal for obvious reasons, it might not be as bad as you might think. You still have MFA protection for your other sites - e.g. if your MySpace password gets cracked/leaked, an attacker won't be able to log in as they still won't have your MFA code. Personally I would absolutely make sure you have a 'true' MFA device (ex. your cellphone) for your Bitwarden account. Alternatively, consider yubikey or similar products. – Buffalo5ix Aug 12 '19 at 22:28
  • If someone can access my Bitwarden (or other password safe) account, it's game over. My concern is about the loss of "other factor", but the linked Q says that's a small concern. I remain unconvinced. – Roger Lipscombe Aug 13 '19 at 06:51

0 Answers0