The original post: /r/cybersecurity by /u/_STY on 2024-10-10 17:23:15.
I have a Bitwarden pro subscription and moved a few of my accounts TOTP 2FA credentials into Bitwarden.
While very convenient, is it really a good idea to store 2FA codes in the same system that stores passwords? Doesn't violate the premise of 2FA?
This obvious concern is that compromise of the password manager gives full credentials to anything with both factors saved. For any identity we store with both password and TOTP we in effect went from a thing we have [TOTP token/authentication device] and thing we know [password] to essentially just thing we authenticated to prior [Bitwarden].
I understand that the Bitwarden authentication itself should be secured with it's own MFA and by extension anything else stored there is as well, but is putting the ability to completely authenticate to anything inherently riskier than say storing only passwords in Bitwarden and all TOTP on a secondary dedicated app or device?
EDIT: I appreciate the advice on what password managers/TOTP apps people use but that wasn't really the question. The answer seems pretty clear though; storing two factors for the same identity in the same way is less secure.