This should probably be marked as resolved since @jonah first two comments answered OP
1 Like
I store my 2FA TOTP stuff in my password manager (Bitwarden). I have Bitwarden installed on all my devices, but it is itself secured with 2FA TOTP - stored in the same Bitwarden vault. So if I want to access Bitwarden on a new device, I need to have an authorized Bitwarden installation on another device to do that. From my perspective, this is still proper 2FA because you still need access to both my password and one of my devices to be able to log in. And for the important stuff in Bitwarden (including the Bitwarden TOTP code itself) I have âreprompt master passwordâ enabled for extra security.
Letâs think about the threats:
- reusing the same password everywhere â thatâs why you use a PW manager in the first place, to have different PWs for everything
- phishing / social engineering â impossible to prevent with technical measures alone although 2FA helps a bit compared to just revealing your PW to the attacker
- adversary knows my password to a website â if itâs an important one, it will be protected with 2FA so no login possible
- adversary knows my Bitwarden master password â canât log in to Bitwarden on their device due to 2FA protecting Bitwarden itself
- adversary got access to my unlocked Bitwarden vault â good enough to look up passwords and 2FA codes and quickly log in on their device, buth they canât see the Bitwarden PW + TOTP codes because it requires re-entering the Master PW. So this will enable the attacker to get access to certain websites depending on how much time they spend with my unlocked device, but they canât steal my whole vault.
- adversary got access to my unlocked vault AND knows my master password â they can successfully log in on another device, however I would get a notification from Bitwarden
For me this is safe enough. I am safe unless Iâm stupid enough to leave my device and Bitwarden vault unlocked for a physical attacker.
I use KeepassXC for my password manager. I use both Yubico Authenticator w/ Yubikey, and KeepassXC for TOTP. I use a separate databyfor my TOTP in KeePassXC though, just to be extra careful. Itâs a password I memlriisnd donât need my password manager for.
Thatâs a cool feature I didnât know Bitwarden had. I wish 1password had something similar.
I have a similar approach for similar reasoning, except that for the really important accounts, which are mainly 1password, email, and domain registrar, I use YubiKeys for the 2FA
I recommend keeping all 2FA information, including backup/recovery codes (any piece of information that is a replacement for your primary credentials) on a different database, on a different device, secured with a different password.
Ideally you have security keys configured to open your password managers, because as others have mentioned, where are you going to store the TOTP secret to open your database? Security keys provide convenience as well as security in this case. If you donât have one, then Iâd just keep everything on one database for convenience until you get one.