Basics of two-factor authentication with Bitwarden

Bitwarden now offers a standalone authenticator available on iOS and Android. Download it today here.

Catch our webcast replay covering this topic, or view the presentation from the webcast.

Using two-factor authentication helps increase user security for websites and applications. The name refers to requiring users to utilize two separate methods of verifying their identity to access an account. A common definition for 2FA is that logging into a service involves something you know, such as a password, and something you have, such as your phone, hardware token, or other authentication code. Using a master password in conjunction with 2FA further enhances security, ensuring that even if someone discovers your master password, the additional layer of protection safeguards access to your vault and logins.

A typical example is when you log into a website with a username and password and then receive a text message code for a final validation of your access. The username/password is the first factor, and the text message code received on your phone is the second factor — hence, two-factor authentication.

Bitwarden refers to this process as a two-step login method, another term for two-factor authentication that is more consumer-friendly. Other terms include multi-factor authentication and two-step verification. These terms all refer to a secondary step in the login process to verify your identity.

2FA can be set up when you establish an online account or after your account is in place. Typically, it involves adding a second layer of login security to a username and password combination. Bitwarden offers multiple two-step login options to enhance the security of user accounts, providing versatile and easy-to-set-up methods for both free and premium users to protect against unauthorized access.

Because two-step verification significantly improves security, everyone benefits from being able to choose among the several alternatives that have evolved for implementing the second factor. You will often see multiple options for two-step login, including:

• An email sent to you with a temporary code

• TOTP codes, which provide flexibility for secure account access through different authenticator apps

• A hardware key such as a YubiKey or SoloKey

Other factors could be a text message temporary code sent to your mobile phone or a fingerprint, facial scan, or other biometric data point. Let’s briefly discuss the benefits and risks of these various options.

Email provides basic security for two-step verification. The assumption is that even if someone might have uncovered a username and account password for a specific account, they are less likely to also have access to your email address. So, sending a code to your email address upon login provides a basic second verification step.

Two-factor authentication applications generally use a technique called a Time-based One Time Password, or TOTP for short. These applications are typically free for users to download to their phones or tablets from app stores and include products like Bitwarden Authenticator, 2FAS, Ente Auth, Google Authenticator, Microsoft Authenticator, and more. These apps generate verification codes that enhance security by providing a unique code every 30 seconds.

The sequence for setting up a website to use an app for two-step verification generally flows like this:

• The user accesses the website or application where they want to add two-step verification and initiates that setup process.

• The website shares an authenticator key as a QR code. If the QR code does not work, the authenticator key is often made available as a long text string.

• The user scans the QR code using their camera or enters the text string.

• The account is saved within the authenticator app.

• The next time the user goes to login to the website/application, it will prompt not only for username/password, but also for the time-based 6-digit code. That code will change to a new code every 30 seconds on both the authenticator app and within the website/application login system, thus providing stronger security than merely receiving a verification code via email or text message.

Physical devices provide a further level of security for two-step verification. By using a hardware-based key, which is not replicable without the key itself, users can ensure that no one else can log into their account without the same key. YubiKeys and SoloKeys are just a couple of product examples.

Text messages also provide a second complement to logging in with an email and password. The assumption is that while someone could have your username and account password, they are far less likely to have access to your mobile phone. That being said, a bad actor can intercept 2FA codes sent via SMS, so if you can avoid using this method, you should.

Most websites offering two-step verification will provide recovery codes should you ever lose your ability to provide the second step. Recovery codes should be treated with care and kept in a secure and memorable place. Some people like to retain recovery codes in a digital file, others keep a printed copy, and some keep both.

With many services, including Bitwarden Password Manager, if you ever lose access to your 2FA device, the only way to recover the account is with the recovery code.

You can set up 2FA to access your Bitwarden vault with authenticator applications, YubiKeys, Duo Security, email, or passkeys - including FIDO2 WebAuthn keys. Some of these options require Bitwarden Premium Features. For more information on enabling two-step login to access your Bitwarden vault, visit the Bitwarden help center.

Bitwarden also allows you to manage and facilitate two-step verification for individual websites and external accounts stored within your vault. This uses the integrated authenticator, which is built into the Bitwarden application and is included with premium features. Using the integrated authenticator to autofill the TOTP code can be set up if the web service supports third-party authentication apps.

Here’s how this works. When you set up two-factor authentication within a website or application and are presented with the QR code referenced in step 2 above, you can scan it with the mobile version of Bitwarden and add it to the login information within the Bitwarden vault for that site.

Alternatively, you can add the text string format version of the authenticator key to the Bitwarden vault entry for that website/application. Then, when you use Bitwarden to log in to the website/application thereafter, once you enter your username/password, you are prompted for the authenticator time-based code. This code is auto-copied to your clipboard when performing autofill operations in the app. You can also retrieve the time-based authenticator code from the Bitwarden app, extension, or clipboard (if you’re not using password auto-fill).

NOTE: If you are using the integrated authenticator, on completion of autofill, Bitwarden will automatically copy the six-digit verification code to your clipboard. You can then quickly paste it for the final login step. 

In a nutshell, here’s what is recommended:

• Enable 2FA for your Bitwarden vault with an application or one of our other recommended options.

• Learn how to use the integrated authenticator, especially in sharing and collaboration cases. Understand the ease of enabling two-step login for external accounts and the speed at which you can breeze through securely.

• Pick the right mix for your own security profile. The choice is yours. There are scenarios where all external account two-step login information can be stored within Bitwarden Password Manager, and others where a mix makes sense.

Get started with Bitwarden and its premium features, including the integrated authenticator, at bitwarden.com. Looking to upgrade your organization’s security? Start a 7-day free trial of our business plans to keep your team safe online.