Bitwarden storing TOTP

Hey @LTS_Tom. Enjoyed the video on bitwarden. I too switched from KeePass. So far love it. But your video indicated it is a little risky to store totp codes in bw and I agree having the passwords and totp in the same database reduces 2FA to 2SA (2 step). There are tons of debates on this everywhere. I was thinking of storing MOST totp codes in bw for convenience but protecting the bw vault with a yubikey (hardware key). And for the totp not in bw using the yubico auth to store those. I guess I am trying to avoid an authenticator app where the codes live on my phone. If master password is compromised I will still be protected by the yubikey 2fa.

Been going round and round on this and curious as to what others do as a trade off for convenience vs security.


Yubico has an app that provides TOPT with the keys stored on the Yubkey itself. The new 5ci and a recently updated app allow this to be used on iOS. You can have the app installed on multiple devices. Just plug the Yubikey in and the codes appear

1 Like

I agree on Tom, its risky to use TOTP on any password manager and I agree with you Dave on use of FIDO compliant keys but till all site start supporting hardware key we will have to use best alternate and that is Authenticator app’s. People are so behind even banks have not integrated FIDO key or app based 2FA and still relies on SMS which has been proven to be highly unsafe.


Yup, keys and PWs should be stored on removable media. Nothing is perfect but I see that BW is worth taking another look. Would do self host compile from source, maybe.

Well I suppose I am torn. I really believe that a hardware key is better than an auth app. Many people defeat 2fa anyway by having their 2fa auth app and their password manager (ie bitwarden mobile) on the same device. The 2fa master keys are stored locally on the phone as well (unless you use yubikey auth which stores on the key. I use this). So unless you have 2 separate devices (one for pw manager and the other for auth) it seems like locking the bw vault down with a hardware key is better than an auth app. Then use totp for your sites accordingly. And possibly use the hardware key for sites that support it. Unless there was a serious design flaw (the risk referred to here) then even if my bw blob was stolen and someone had my master password they will not be able to access since I have the yubikey.

1 Like

For most people 2FA is a pain in the ass that’s not worth it. All they end up doing is set their browser to store all their passwords so they only have to manually enter the 2FA code when they sign in rather than having to enter two sets of credentials to sign in.

And then they just install their auth client on that device anyways. If you need a secure system then use something you have and something you know. Having two things you know doesn’t improve things much.

1 Like

@Dhayes I as well swapped over from 1P to Bitwarden. 1P was already good, but open-source has always had a place in my heart. Working on getting the office to swap to Bitwarden fully, but there still stuck on Keepass.