44 points by nequo
6 days ago
I keep seeing this take and it's not a great one.
TOTP in Bitwarden (or 1Password or KeePass) is an upgrade over SMS authentication in terms of both security and convenience.
For most people, TOTP in a dedicated app is not actually much more secure:
1. They could lose the device. Without a backup, they're suddenly unable to login to their accounts.
2. Their device may not be well secured, e.g., either not requiring auth to unlock it or only having a 4 digit PIN.
3. They're likely logging into accounts on their phones and have the password manager and TOTP app on their phones as well.
4. If the TOTP app has backups, then it's vulnerable.
5. Such a user may be less likely to use 2FA in a given app because it's less convenient.
If you secure your devices with long alphanumeric passwords, secure your password manager with U2F / WebAuthn and an even longer alphanumeric pass phrase, and consistently enable TOTP 2FA, then you'll be more secure than the person who either uses it less consistently or who uses it on device
Yes, you would be more secure if you used it consistently AND had 2+ dedicated devices for your TOTP codes (your main device and at least one backup). But let me propose an alternative: do that just for your most critical accounts, but use your password manager's TOTP solution for everything else.
Which dedicated device would I recommend for storing your TOTP codes? The same one I recommend for U2F, the Yubikey 5 series (specifically the Yubikey 5C NFC). It can store up to 32 codes, which for 99% of people is more than enough for all of their critical accounts.
> TOTP in Bitwarden (or 1Password or KeePass) is an upgrade over SMS authentication in terms of both security and convenience.
The article makes a similar point:
>> Among the people I’ve “interrogated” about sufficiently securing their online accounts were few who proudly said they’ve adopted a Password Manager and… they’ve copied their favorite password that they’ve been reusing all over the place into the Password Manager. And now they use the Password Manager’s web browser extension to paste the same password into each login form. Well, the only thing they’ve gained is a false sense of security.
>> However, if they do add a 2nd factor of authentication, even if that’s a TOTP managed by the same Password Manager, they do end up in a much better place. Now, looking back at the attack scenario I described above, their leaked password is not enough to log into other online accounts. Yes, they are still vulnerable to a scenario where their Password Manager account gets popped and the TOTP secrets are revealed. But still, their security posture has improved a lot!
Keepassxc allows you to store those TOTP codes and lock your password database using Yubikey. Even if someone stoles your password database file, it won't work as the attacker needs your Yubikey too.
> Even if someone stoles your password database file, it won't work as the attacker needs your Yubikey too.
It's the same with any password manager. The issue is, after someone somehow had one peek at the decrypted data, they have all the TOTP seeds they need so they no longer care.
Bitwarden allows that too
TOTP in another app is not more secure because TOTP is not secure (not phishing-resistant against real-time proxy attacks even script kiddies can pull off thanks to Evilginx).
FIDO2 and FIDO U2F are phishing-resistant, but almost nobody implements them, preferring security theater, and even when they do, not correctly (e.g. PayPal only allowing you to use one key, so if it gets broken or lost you are SOL).
The specific mention of Bitwarden made it sound like there's something wrong with Bitwarden's implementation of TOTP in particular (which would be hard, since the TOTP client doesn't really do much beyond store a very password-like string).
But it's not; the author's point is just that putting your MFA token into the same place as your other passwords defeats some of the purpose of "multi-factor" authentication in the first place, since a breach of your password manager gets the attacker both factors.
So, nothing in particular for Bitwarden users to worry about, just general OpSec advice.
Yes. But where to store the backup codes for occasions when that device breaks or get stolen. That is what I like to know. Cause several providers says in a pw manager.
This seems like a use case for an offline password manager (which will no doubt still run on the same device, and therefore offer limited benefit), or doing something like gpg encrypting the information to your own gpg key (and storing that key offline or on a yubikey, and not putting the gpg private key on the computer with access to your password manager).
Storing the TOTP in your password manager still protects against brute force / rainbow / phishing / MITM attacks. The author has come to their conclusion based on one scenario without considering any others.
For super important stuff, such as email accounts, I use an external authenticator. For medium important stuff where I want a bit of extra security (or I’m forced to use 2FA when I don’t want to), I store it in the password manager.
AFAIK TOTP doesn't provide protection against phishing / MITM attacks if the attacker is able to response within the time window (usually ~2x 30 seconds).
It also has limited benefit against brute force attacks since it's essentially just a few extra numbers added to the password (although that certainly helps).
It does provide a defense against leaked previously passwords, and keyloggers if they aren't immediately used.
I'd love to be corrected if this isn't the case though.
EDIT: Totally forgot - it also protects you if your password manager is breached, assuming you don't store it in the password manager
> AFAIK TOTP doesn't provide protection against phishing / MITM attacks if the attacker is able to response within the time window (usually ~2x 30 seconds).
This assumes a sophisticated attack, which is absolutely possible (I’ve even seen it happen), but is less likely than a form that just captures information. In any case, in the attack you describe, storing the TOTP externally doesn’t provide any additional protection over storing it within the password manager.
> EDIT: Totally forgot - it also protects you if your password manager is breached, assuming you don't store it in the password manager
Yeah that’s the entire point of the article. But managing TOTP separately can be a bit painful. So I’m saying that if you want a bit of additional security without any inconvenience, there are still benefits to storing a TOTP in your password manager opposed to having no MFA at all.
Oh yeah totally agree with you on all of that.
I wanted to make sure the limitations were pointed out that TOTP doesn't itself protect against sophisticated MITM/phishing attacks which a lot of people I've met thought.
But it absolutely provides some level of protection against unsophisticated attacks, and it's still helpful even inside your password manager.
If you use the browser extension, it provides resistance against phishing attacks because the password and TOTP won't auto-populate. It doesn't help against sophisticated MITM attacks at all - for those you need U2F / WebAuthn.
It helps against brute force attacks but how much it helps depends on the service. If your service prompts for a 2FA code when provided with an incorrect password, then it helps a lot. If an attacker receives confirmation that they have a correct password before needing to enter the 2FA code, then it helps less.
TOTP slows down brute-forcing a service through normal access patterns (eg login, password reset). By normal access, I mean as provided by the software/vendor. One would hope said service has rate limiting and other mitigations to prevent bad actors brute forcing this way, of course.
However it is a second defense enforced by process/code alone (which can be turned off if you have access to the source). It doesn't effect the way your password is stored on the server, in the event of a leak or hack TOTP provides no brute force benefit.
Like many security measures, it slows down an attacker, does not stop them.
And my Bitwarden Vault is hosted on a server I own. If it gets breached, I'm in deep trouble regardless.
> brute force / rainbow
If I'm using a long random password generated by a password manager, are these attacks realistic?
> phishing / MITM attacks
But if they can phish or otherwise capture my password, can't they just as easily phish or capture my one-time code?
> (or I’m forced to use 2FA when I don’t want to)
IMO, this is the only actual use-case, and it sucks because it adds additional login friction for absolutely no reason. If you want to ensure I'm using a strong password, generate the password for me as a condition of disabling 2FA.
> If I'm using a long random password generated by a password manager, are these attacks realistic?
Most likely no. But some people refuse to use such passwords, even when using password managers. Also it was only a few years ago Sony was caught storing passwords in plaintext so… Unless you trust the service is hashing and salting your password, MFA can be a good idea.
> But if they can phish or otherwise capture my password, can't they just as easily phish or capture my one-time code?
The TOTP lasts ~30 seconds. So the attack needs to occur in real-time (opposed to a form that just captures information). Can this happen? Absolutely. But it still raises the bar for the attack.
But yeah I agree, forced 2FA is infuriating.
Both the time-step size (recommended 30s, 60s isn't uncommon) and the validity window (+-1 (3 windows), +-2 (5 windows)) are configurable by the implementation. The time-step size can't be changed after the setup (both the server and the client would have to agree) and are visible to you. The validity window can be altered server side and isn't visible to a user. It's in the best interests of implementer to keep the validity window small since they have to check all valid TOTP codes for a client, but the phishing window while near-time, is larger than the time your code is visible.
> Also it was only a few years ago Sony was caught storing passwords in plaintext so… Unless you trust the service is hashing and salting your password, MFA can be a good idea.
Though that site is likely also storing the TOTP shared secret in plaintext, beside the password, making it pretty much pointless. If the site itself is compromised, it's hard to come back from that.
Pretty much the best thing you can do is never re-use passwords across sites.
>if ... the Password Manager gets compromised, the attacker will get their hands not only on your passwords, but also the secrets used to generate the TOTP HMACs.
As true as this is, it's because TOTP often breaks the spirit of MFA. Password-only logins where a password manager does the form filling are frictionless. Adding TOTP MFA to every single login—even a login from a known browser, where an existing cookie and browser fingerprint would serve adequately as the second factor—regresses UX back to the point before password managers got involved. Back when I was typing passwords, I didn't have to pull out my phone and look them up first.
The TOTP seed has just become the real password, because your "password" password isn't good enough. Security is hard, so service providers assume you're going to screw it up, and they make authentication suck.
The major use case for putting TOTP into a password manager is the ability to share the account in a company or family setting.
For example, some social media accounts don't support multiple users and so you either need a shared company phone for 2FA or you can put TOTP into the company password manager along with the password. I see no workaround for this. I guess you could have a separate company 2FA system that is shared like let's say you use 1pass for passwords and bitwarden for 2FA, but still, local machine exploit will gain access to both.
I understand the principle here, but my bitwarden is on my phone, and the standard way to do TOTP on Android seems to be Google Authenticator -- and that isn't even password protected once someone has the phone unlocked!
I find my biggest problem with TOTP is not losing the damn things when changing phone, so I want them to be stored somewhere that get synced between devices.
I store them on my Yubikeys. So I can read them anywhere (just need the Yubico app), be it on my laptop or phone. And they stay with me when I change phone/laptop.
I think that while storing a TOTP in your password manager is less secure than using an external app, I also feel like this is missing a large portion of when I am storing a TOTP in Bitwarden - shared accounts.
Being able to store a TOTP in my password manager allows me to have a shared account still use 2FA - and provided all parties also have 2FA on their Bitwarden accounts I think this is a pretty secure system and much preferable to one party having TOTP and everyone else needing to email or message them to get the code. Especially considering that as the number of "Hey can you send me the code to log in real quick" messages the 2FA holder gets goes up, the likelihood they get complacent and just start automatically responding could also create a threat vector.
> Being able to store a TOTP in my password manager allows me to have a shared account still use 2FA
Except TOTP secret in password manager is the same factor as the password (both being the password manager), so you don't get 2FA
I did a roundtrip to the password security rabbithole since the LastPass incident and my conclusion is there's virtually no way to have something truly safe - you can have a lot of layers to protect your accounts, but there's always a weak spot somewhere. Plus the more layers you add, the harder it is for you to use...
Sure you can have a yubikey for your 2FA, but then you need a backup in case you loose it or break it, and you need to store that backup somewhere (physically or virtually), and you need to trust / secure that location, or encrypt the data, but then you need another secret to decrypt it, and you need a backup of that too, and so on.
I don't see any way to break that Russian Doll effect. Any suggestions?
There has to be a point where the data is secured by a password, and you will need to keep that password safe both in your head and in a secure location. In your case this would be your password to your backup file.
Pick a good password for the backup and recall it every morning and at random points in the day; the intent is to make you remember it even under stress. Also have it printed out or written somewhere in a place that no one will notice/find - say as a scribbling in your sketchbook or printed at the bottom of a document in your file folder. If you're creative you can even hide it on a sticker inside an object or so forth. No one will know that the string there actually is your password, and if you want you can split it among different pages/etc.
A backup second factor is not very likely to be useful to an opportunist. Is they a reason to not just store it at home, perhaps in a fire resistant safe?
Mmm maybe. A bit annoying to backup regularly, but maybe by doing an hybrid approach like other have suggested here could help reduce the backup frequency/annoyance, i.e. duplicated two-factor key for important accounts, and the rest is stored in a password manager.
Now if only banks would implement proper two-factors...
It's a good idea to keep TOTP source separate, if as hardware key - even better.
Though what's with all the recent criticism of Bitwarden? It's by far the best solution for personal security that you can also self-host and its code is OSS.
Just because it's the best doesn't mean it shouldn't be criticized if it can be improved. That being said, this article is really more about fundamentals than Bitwarden specifically.
Misses the obvious (and highly effective) strat of using BW as a yubikey adapter. By this I mean: put BitWarden behind MFA login that requires (requires!) a hardware key; now, use BitWarden to store your TOTP; congratulations, you just moved all your TOTP MFA to a more-secure hardware token scenario.
do use BW for TOTP, but then add a hardware key. Boom. Better security and, just as important, only one site to tell about your yubikey (managing FIDO2 hardware across several websites puts it in now-you-have-two-problems territory)
I think it’s useful to stop thinking about TOTPs as a multi-factor implementation, and think about it as a forced random password.
The biggest problem by far is that people still use the same password everywhere, and no amount of yelling at them for the past 20 years seems to be working, so the only solution is to declare passwords as mostly broken and force people to use TOTP. That’s effectively how most sites are using it anyway. Using this approach, you now have a probably weak password of a certain length, and then a guaranteed random password of 6 digits that expires every 30 seconds. The brute force window is essentially closed at that point.
This approach also reconciles the idea that a TOTP secret must be tied to a device, instead of a person. I’m pretty security conscious and can put up with a lot of shenanigans to be more secure, but the insistence of TOTP apps to not allow backup or transfer of secret keys is just too much for me. I can’t imagine any regular user putting up with that, and the result is the help desk has to deal with many requests to remove devices when someone gets a new phone.
With the threat model redefined to force the use of unique passwords, it makes it far more acceptable to store TOTP secrets in password managers.
Isn't that what passkeys are about? Replace passwords with something simpler
Passkeys will be DOA. Even though they seem to be gaining traction at the moment (in the SV echo chamber), they will fade (remember 3D TVs?).
Nobody wants to carry around an extra thing on their keychain just so they can login to stuff. They already have a phone, and every other thing that uses physical keys is currently in the process of moving to using apps on phones. Just like Yubikeys, they will be used for some high security applications, but will not gain general acceptance by users.
I kind of wish most TOTP implementations (apps and/or desktop software) would support exporting all of the current data in an encrypted file format, a bit like KeePass has .kdbx databases with your passwords and other information.
To me, that feels like the missing piece in my mostly-offline way of managing credentials and backing them up - I could throw the KeePass database and this TOTP database (presumably both protected by passwords) in a VeraCrypt container (also encrypted) or something similar, put that on an SD card and then store it somewhere in case of hardware failures or other factors like that.
Personally I think that TOTP is great and while there are plugins for KeePass for example, most people will opt for using various apps which don't always let you fully be in control of your files. As for cloud options - they are easy to use, of course, but personally that feels like a major risk, which the LastPass breach somewhat confirmed.
If you're an Android user, you may be interested in Aegis [0,1].
It allows you to import data from various formats, either through a file or directly from another app like Authy (needs root access).
It also allows for export options, such as encrypted JSON or unencrypted TXT/HTML. Additionally, it enables backups to file storage, I am using my Nextcloud as a target.
Overall, Aegis is my to-go open-source alternative to Authy.
One of the key benefits of storing TOTP seeds in a password manager is easier auto-completion (yes, I'm aware sharing is another one).
I'd with multi-platform password managers would have two different vaults, where one is for general computing and another is encrypted differently and only available for trusted always-available devices (phone, smart watch or something like that), and OTP seeds could be moved there and become accessible only to such trusted devices. Then, the password manager should be able talk to itself on those devices and ask them to provide an OTP (depending on user preferences, with or without on-device confirmation), so the seed isn't available but the current OTP value is conveniently accessible. Tricky, complicated, but secure and convenient.
But that's ultimately a hack. The best one could hope for is WebAuthn eventually killing TOTP entirely.
TOTP in your password manager bottlenecks you down to 1 factor if that 1 factor is compromised. You can address this concern by protecting that bottleneck behind two factors itself. And we already do that all the time - logging in to a website gives you a single-factor session token that gives you everything, after all! The trick is that the session token is time-limited and rotates frequently (you have to log back in every day or whatever), so it's okay that it's the single factor. The way to re-secure your password manager, then, is to do the same - protect your bitwarden account with 2FA, set it to require re-auth and a webauthn touch every 2 hours or to require a webauthn touch to generate a TOTP code, and you're basically back to the same state you were in when you were getting TOTP off your phone or a yubikey.
I'm not sure if it passes a rigorous security analysis, but my approach is to have two different keepassxc databases with different passwords. One for passwords, the other for TOTP. The TOTP db is mainly for backup, I use a phone app on the day-to-day.
If your password manager is locked by 1) a password that isn’t written down, and 2) a second factor code, it’s theoretically equivalent to having a specialized TOTP app, (assuming the password manager won’t get cracked).
- to get into my gmail, you’ll need my password and TOTP.
- both the password and TOTP are stored in my password manager, so you need to unlock my password manager.
- to unlock my password manager, you need its password, and its 2-factor code.
- the password isn’t written down so you’ll need to know it
- the 2-factor code is only accessible on a device, so you’ll need one of my device.
- thus, to get into my email, you need both to know something and have something of my belonging.
That is of course based on the presumption that you trust the password manager’s implementation.
There's no way to construct a TOTP app that uses that TOTP secret to actually encrypt the on-disk password database though, correct? In the case where e.g. LastPass gets breached, even if you have 2FA enabled, the only thing actually protecting your vault is the Master Password itself, not the TOTP code? Since there's no way to use a TOTP code cryptographically to prove anything other then a shared secret.
In theory some sort of HSM like a Yubikey could do it, but in practice I'm not aware of any password managers that use that feature (other than maybe one or two obscure KeePass plugins?)
Similarly, that's why 1Password is more secure than BitWarden or LastPass, because it has a separate "master key file" that's required in addition to your password to set up your vault.
In case of a breach, yes. That's why I said "theoretically". In practice, spreading the factors across different services probably have some benefits (provided that they don't unlock each other).
But breach is ultimately a separate issue from authentication.
> But breach is ultimately a separate issue from authentication.
It's the fundamental security threat model that all password managers are built under, even LastPass. They all are built to ensure that your passwords are secure even if the password manager's cloud service is compromised.
Yeah basically this.
If you've managed to get into my password manager, it means you must have gained access to my machine whilst it was unlocked (and my password manager was unlocked too). If that's the case, you already have access to live sessions to most of the things stored in my password manager.
Essentially, if you have access to my password manager, I am completely fucked anyway, whether my OTP codes are in there or not.
An interesting article and I’ve taken it onboard- just spent the last half an hour migrating all my Bitwarden TOTP to MS Authenticator - very easy to do with Bitwarden, which is actually a little concerning as an infiltrator would get the key.
Dangit I just finished migrating from Lastpass and moving all of the TOTPs into Bitwarden. I was worried about losing access to the TOTPs in the event of a broken phone, so both LP and BW's cloud backup of the codes seemed like a good idea.
The article makes sense and I see the flaw in keeping them both in one place. Wish I'd thought that through.
Related: did you know you can use multiple apps for that TOTP code? Just scan the QR code in App A, then scan the exact same code in App B. That + Yubikey 5's TOTP app means two identical copies of the codes on two different media. Approaching a decent backup scheme.
I wouldn't recommend keeping your TOTPs in Lastpass Authenticator at all. That's worse than having them in Bitwarden given Lastpass's track record. If you want something with cloud sync that isn't your password manager, maybe try Authy? (I don't recommend Authy, but it would be an improvement.)
IMO it makes sense to have most of your TOTPs in Bitwarden - anything that isn't critical. The reduced friction means you're more likely to enable TOTP 2FA for every account that you can - net increase in security compared to not having it at all.
For your critical accounts, I recommend securing them with your Yubikey via U2F / WebAuthn if possible. If not, then use your Yubikeys to store the TOTP codes. If you need/want a better backup than a second device, you could consider literally writing them down or backing them up into a Veracrypt encrypted container. You could also use an open-source, local-only TOTP app like andOTP/Aegis on Android or Tofu/OTP Auth on iPhone.
Aegis  is a much better alternative to Authy if having backups is a must (and even if it isn't too), specially because you will be in control of these backups. If you are on iOS Raivo  is a similar alternative that provides encrypted backups to iCloud.
Yeah IMHO setting up the TOTP on multiple devices is a good idea. I also save the setup key along with the recovery codes so that I can easily set up new devices if I need to (plus I have seen some cases - ie Facebook - where the recovery codes don’t work). I guess this is marginally less secure than storing just the recovery codes, because if someone finds my backups they can now generate infinite tokens, but if that happens I probably have worse problems to worry about.
You can also export codes from Google Authenticator to a second device now, which I used for backing up my 2FA codes onto my iPad. Great way to have a backup when necessary without meaningfully decreasing security (just make sure to test your backup occasionally!)
What I liked with Aegis was that it did exactly what Google Authenticator did (or better), but it was open source and not Google.
Then I moved to Yubikey, which I also love. I don't see the point in using Google when there are good alternatives :)
One of my biggest complaints with most/all password managers is they don't have the concept of a higher security area. I'd love to put my TOTPs in Bitwarden, and only show them after another MFA prompt. I'd like to mark some sites to require MFA before giving the password too. Most security systems I've seen have the concept of multiple levels of security, where data can only move up by default. I'd like to see something similar in password managers.
I have enabled some secrets in bitwarden to require password re-prompt. Not the same as a second MFA, but still useful extra boundary: https://bitwarden.com/help/managing-items/#protect-individua...
As with all things you need to understand your own threat model. For almost everyone storing your TOTP codes in your password manager, right next to the strong randomly generated password, is perfectly fine and likely to be significantly more secure than the alternative options.
If your threat model shows this to be a bad idea, you obviously need to do what is best for you. But for the typical person, this post can be easily ignored.
I've always felt weird about combining the two. Eventually found Raivo and have been pretty happy with that over something like Authy.
TOTP = Top of the pops?
Time-based One Time Password. If enabled, it's a 6 digit code that you enter after entering your password. Google Authenticator is the most well-known app that produces them.
I know, I googled it. I just hate articles with an acronym in the title without bothering to explain what this damn acronym stands for.
lobste.rs thread on this from several months ago: https://lobste.rs/s/xsfhho/don_t_store_totp_bitwarden_for_yo...