this post was submitted on 19 Aug 2023
138 points (97.9% liked)
Open Source
30511 readers
229 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I don't think that it's safe to leave both authentication factors in a single app.
It depends on your risk profile, but yes, it's less secure. For some people the convenience is worth the risk, for others maybe not. If you opt to store 2fa keys in Bitwarden you'd definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.
With the risk of getting locked out if all your devices get logged out of Bitwarden! 🙈
To clarify, you'd want to enable 2fa for Bitwarden and store the token for that in a different authenticator app - that way you can still log in to Bitwarden without already needing to be logged in
Why not? If you enable 2fa, chance that you'll save the recovery/emergency code in your password manager anyway (I don't think people would really write them down on a piece of paper and put them in their safe). Why use a separate authenticator app if your password manager can handle it all?
You're absolutely right about this and I need to find a solution.
What if you get logged out from Bitwarden on all the devices? How can you get back in Bitwarden if you have 2FA enabled on that service? (And I hope that you do!)
Believe it or not, I save my bitwarden 2FA on bitwarden too! I also save it on google authenticator, so I have it on two places. The reason I save it on bitwarden is to prevent losing access to the token if I lost my phone, because bitwarden allow you to unlock the vault without OPT on a know device/computer (it only ask for OTP when you login from a new device). So as long as I have one device with bitwarden, I should still be able to unlock the vault and re-login on a new phone using 2FA token from bitwarden on the other device. If I lost all my devices, then I'll have to dig the recovery code I hid and encrypted somewhere on my google account and my primary desktop, which is quite a pain so I hope I don't need to do this.
Beware that for important bug/problem/I don't know, you could be logged out from all your devices for security reason and in that case you can login only with 2FA even on devices where you were already logged in. Keep in mind that Aegis can create encrypted backups, but you'll have to upload them somewhere and I understand that with Bitwarden is easier.
Well, as long as I don't lose the phone with Google authenticator, I should still be able to login to bitwarden without digging out the recovery code.
This. It's not two factor if both factors are stored together lol