Why YSK: Because if you are like most people, you also store your email’s password in your Bitwarden Vault and not bother remembering it, causing you to potentially get locked out (since you wouldn’t be able to log in to your email to get the verification code, because your email’s password is in the vault itself 👀)
(Imagine leaving your key in your house, lol)
Source: https://bitwarden.com/help/new-device-verification/
Excerpt:
To keep your account safe and secure, in February 2025, Bitwarden will require additional verification for users who do not use two-step login. After entering your Bitwarden master password, you will be prompted to enter a one-time verification code sent to your account email to complete the login process when logging in from a device you have not logged in to previously. For example, if you are logging in to a mobile app or a browser extension that you have used before, you will not receive this prompt.
Good thing I noticed, otherwise I might’ve had a bad time next month 😖
Edit: Updated title to clarify that people who have 2FA are not affected.
On the other hand, NOT using MFA on an online password manager is just poor opsec.
I understand that perspective, but honesly, for me, the threat of misplacing 2fa is higher than getting hacked.
Sorry dude, if keeping your 2fa codes safe is too much to ask then you really shouldn’t be on the internet.
Using a password manager without 2fa is a recipe for disaster, you might as well just use the same password for all your accounts at that point, then you don’t need the inconvenience of a password manager
So, how do you propose I safeguard the 2FA?
Hardware based ones can easily get damaged, or when there’s a fire, completely destory it. I am not rich enough to have a second home. And I can’t affor any “safe deposit boxes”. I don’t have any trusted friends to keep a backup 2FA key at.
Software based ones are same, if you print out the info. And if you store it online, you’re gonna need to encrypt it. And that is gonna be another password.
So all that trouble and its still 1FA (two different passwords is still 1FA).
So, if you want to be helpful, how do I manage 2FA keys without getting myself locked out?
If your 2FA backup is encrypted, you can even store it in Google Drive or wherever, ask a family member to keep a copy, it doesn’t matter if the password is strong.
If you’re extra scared of losing your keys then you can use something like Authy as a last resort, they make it super easy.
I work in cyber forensics and incident response, 2FA and strong passwords can prevent 99% of the shit I see.
People are “hacked” all the time in massive breaches. Its accelerating, not getting less likely. Password managers are a huge target, and have been breached in the past.
If youre worried about it, use something like Aegis. Its an mfa app that lets you easily save password protected backups. You can set it up to automatically save a copy to a folder on your phone. Then just copy that file off and store it somewhere safe.
If thats too much work and you dont run syncthing/nextcloud/etc, they also have an option to let it it sync with the google backup service.
The above gives you the best of both worlds : strong security and strong redundancy.
Where TOTP is concerned is you enroll multiple devices for redundancy, and there are scratch codes. Plus you’ll eventually be forced to resolve this issue when passkeys become more mainstream.
Happy to help or talk through things if you’d like a hand getting comfortable with MFA 🩵
I don’t like MFA. If the password/passphrase is strong enough, why need MFA? If its software MFA (like an app) a malware that could steal the password would also be capable of stealing the MFA.
If its hardware, one fire in my house, and all the keys are dead. (And I do not want to deal with a safe deposit box or burying the backup hardware keys in the woods somewhere, honestly, I don’t know where I would put the backup keys)
Edit: Lmfao MFA cultists be downvoting 🤣
I’m not even advocating against MFA, I just personally dislike it. Wtf y’all 🤣
Please give MFA another look, it really is better security to use it.
The problems you mentioned: you keep the MFA backups in a password manager.
I know you’re worried about losing access to that password manager, use two different ones, write down your most important several passwords in a locked place, etc. it’s better.
I’m afraid I can’t help you with the ideological problem mate, only the practical one 😅 You’ve got sync or multiple devices, and you’ll have to pick 🤷