Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I personally don't do this because I feel like it defeats the whole purpose of 2fa. If someone gets into your bitwarden account, now they have your passwords and can generate 2fa codes. Of course, if the alternative is just not doing 2fa then it's better than nothing but I'd still prefer an authenticator app or hardware key than putting them in bitwarden.


That's why my bitwarden account is protected with 2FA! If an adversary has gotten into my bitwarden secrets, my second factor is already compromised.

And if I lose my phone, I only need to do the recovery flow with the printed codes for one account, rather than for all of my accounts.


Getting into your bitwarden account should be at least as hard as getting into your authenticator app or stealing your hardware key, though, if you're using it as intended, so I think it's ok for 2FA


2FA keys are easily stolen from a desktop with a password manager running in the background when running a malicious executable, vs. 2FA keys on a 2FA app on a phone and running a malicious app.


I don't know if this is true. A password manager should encrypt its data at rest, and exfiltrating a key from another process's memory space is non-trivial. At the very least, you'd need a privilege escalation trick.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: