Matouš Borák
Posted on October 6, 2020
A few weeks ago, I dropped LastPass in favor of Bitwarden as my new main password manager. Overall, I like that Bitwarden is open source, I find its UI cleaner and faster on all platforms that I use and also the Premium plan is cheaper. Nice!
But soon I discovered one feature that really struck me - Bitwarden can store and generate one−time passwords for two−factor authentication! Whoah! This raises many questions and potentially some worries, too, immediately: should I use it? Is it safe enough? Read on!
Ordinary two-factor authentication
I won’t repeat here that two−factor authentication (2FA) is a good thing and why, I presume you already know that if you’re reading this article and use it at least for your most critical accounts.
The typical scenario when signing in using a mobile app 2FA and a password manager is as follows:
- you open the sign-in page on a web
- you let the password manager fill out the sign-in form (some do it automatically upon page load) and submit the form
- you reach your mobile phone, and:
- unlock the phone (e.g. via a fingerprint)
- open the 2FA app
- sign in / unlock it somehow (e.g. via a fingerprint again)
- find the corresponding code among all others
- and type the 6 digit number it shows you into the web sign-in form.
This process soon begins to feel quite cumbersome as you add more 2FA accounts and have to log in more often.
Bitwarden−style 2FA
With the Bitwarden 2FA feature, things get much more convenient:
- you open the sign-in page on a web
- you unlock your Bitwarden vault
- you press
Ctrl+Shift+L
to let Bitwarden fill out the sign-in form, and submit the form - a fresh 2FA code (TOTP) is silently generated and copied to your clipboard
- you locate the 2FA code form field and press
Ctrl+V
to paste the code from clipboard.
And that’s it, no need to deal with your phone and its 2FA app! How cool is that? And, more importantly, how safe is that?
I should note now that the 2FA codes generation feature is available only in the Bitwarden Premium or Organization plans. The free plan only allows you to store the 2FA secret but not generate the one−time codes. You’ll have to pay a few bucks to use this feature.
Sounds great but is this safe?
First things first: compared to the classic 2FA approach, storing your 2FA secrets and generating one-time codes in Bitwarden is most probably less secure. The whole point of 2FA is that you must use two separate means (”factors“) for accessing your login information to sign in a service and this core requirement is not respected in Bitwarden 2FA because all that you’ll need to access the complete login information is your master Bitwarden password. Technically speaking, this is not a 2FA any more but rather a ”single−factor two-step authentication“, you get your login info in two steps but from a single source.
OK, it’s less safe, but is it safe enough for me?
That’s a tough question. If you are a publicly known person (who is more likely prone to targeted attacks) or are dealing with some highly sensitive information, I would never recommend using this feature. Find a security expert instead and listen to what they have to say to you.
But otherwise, I believe that yes, Bitwarden 2FA feature can be set up in a reasonably secure way for most people and most accounts. You can even leave the real 2FA setup in your phone for your most critical accounts and have Bitwarden take care of the others. Always try to think about the threats you are trying to prevent!
Following are my own assessments of potential risks when using Bitwarden 2FA and some ways to reduce them:
Bitwarden servers get hacked and your passwords stolen and revealed
Risk: very low.
In the unlikely event that your data would be stolen from the Bitwarden servers, I wouldn’t freak out. The data is heavily encrypted locally on all platforms, with a key derived from your master password, and even more on Bitwarden servers. Unless you have a trivial password, it should be f***ng hard to read the data using a brute−force attack.
Someone guesses your Bitwarden password
Risk: low (if you care).
Your master password is the most critical piece of the whole Bitwarden ecosystem. For sure it is a long, complex passphrase following best practices, which resides in your head only, right?
But this is still not enough. If you ever happen to sign in your Bitwarden on a computer that you have limited control of (think a café), can you be sure there are no keyloggers installed? Or that no one is watching behind your shoulders (think even surveillance systems)? You can’t and that’s why it’s absolutely essential to secure Bitwarden itself using a real 2FA.
Connect Bitwarden to anything you find appropriate - an authenticator in your mobile phone, a DUO account, a hardware key, there are quite a few options. I myself use the Aegis Authenticator. Of course, it is important to secure the app itself, too, e.g. by setting up frequent locking and unlocking the app via a fingerprint.
Also, be sure to deal with the risk of losing access to your 2FA authenticator (lost phone, broken 2FA app, …)! A common countermeasure is to print out the recovery code on a piece of paper and store it somewhere safe.
Someone sneaks into your live Bitwarden session
Risk: reasonably low (if you care).
This is easier to leave unsecured than it seems and it gets worse the more different ways you use Bitwarden in. E.g. I use the Bitwarden browser extension and the mobile app. How long do these sessions stay live and unlocked? How easily are they accessible by someone unexpected? Think about how easy is to leave your computer unlocked (with live Bitwarden open in your browser) during a lunch−break or forgetting your phone (with live Bitwarden app session) somewhere. All Bitwarden apps can be configured for auto−locking / auto−logout but it is you who must configure them that way!
For example, I use the following setup:
- an automatic vault timeout which locks the Bitwarden browser extension after 15 minutes of inactivity; a PIN must be used to unlock it; note that typing PIN is not resistant from keylogger attacks so I’d recommend using fingerprint biometrics instead if you’re on a supported platform (Windows / MacOS) and a laptop with a fingerprint reader (unfortunately, Linux is still unsupported, please vote here)
- a similar timeout in the Bitwarden mobile app with biometric unlocking (my fingerprint); and, of course, the mobile phone itself gets locked, too (can be unlocked via biometry or a gesture).
That way you leave the live session unlocked for only a short time so you’d have to be attacked quickly and by someone who knows what to look for.
Someone steals your computer or phone
Risk: reasonably low (if you care).
Unless you are unlucky, you are pretty safe − if you followed the recommendations above, that is. The Bitwarden vault should be locked after a few minutes on the device and the probability of someone successfully breaking into the locally encrypted data is very low if you have a good master password.
There is one notable caution though: currently there is no way that I know of to prevent a certain device from accessing your Bitwarden vault. There is no list of allowed devices (on the contrary, such a thing was in LastPass) and no way to de−authorize them. You must resort to other ways, e.g. the ”Google find my device“ service in case of an Android mobile phone (if you have that service enabled) to track, lock or wipe the device. Similar solutions exist for laptops etc.
Summary
If you followed all the way down here, congrats, I believe you have a reasonably secure and very quickly usable „2FA“ set up!
And let’s sum up the basics again:
- if you are an important person, don’t use this!
- if your accounts cover highly sensitive data or important threats (your money in a bank or something like that), don’t use this!
- use a very secure master password that only you know
- use a real 2FA for Bitwarden itself
- use short timeouts for all Bitwarden apps
- guard your belongings, physical as well as digital ones (e.g. your email account).
I’m eager for your comments if you have any. Stay safe! 🤞
Posted on October 6, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.