Should you store your 2FA/TOTP tokens in your password manager?
I’ve used a password manager for some time — first, my own (I set passwords based on a hash of the URL), then LastPass, and now Bitwarden.
Along with your password, Bitwarden can also store your 2FA/TOTP code: the code you might store in Google Authenticator or in Authy. Logging into an account protected by one of these is now really simple: CTRL+L to fill in the username/password, hit enter, then CTRL+V to paste the code in, and you’re there.
It is, at first, counter-intuitive to use a password manager to also store your codes. That’s the whole point of them, right? They’re a second line of defence. Why would you store your code with the password? Isn’t that the wrong thing to do?
I thought that for a bit. But I’ve changed my mind. Here’s why.
What 2FA is
Logging into your bank using 2FA uses two-factor authentication. It’s often summarised by saying “something you know (a password) and something you have (a physical thing)”, with the physical thing being used, in most cases, to give you a code like 410192.
If you store your code with your password, clearly that doesn’t make it two-factor authentication any more. You lose all the advantages of two-factor authentication.
Or… do you?
To sign into Bitwarden (on a new machine), I need my username, my password, and a physical key (I use a Yubikey). That’s 2FA right there: without the physical key, you cannot get into my Bitwarden account.
So the 410192 above is still acting as 2FA: without my physical presence, you’re not getting into my Bitwarden account, and without that, you’d not have learnt my 410192 code.
(I have two physical keys: one which I carry with me; one which is locked up somewhere safe).
What TOTP is
Logging into your bank using TOTP, like the 410192 code above, is a Time-based One Time Password. It changes every thirty seconds, and is based on having an accurate clock on my device.
If you store your code with your password, nothing changes here. It’s still a TOTP code, and thieves still can’t get in without it. It doesn’t matter whether it’s on a physical key, in a password manager, or anywhere else: it means that if a thief has access to your bank username and bank password, they still can’t get in without your TOTP code.
Storing them in your password manager is probably as safe, or even safer, than using your phone
Many people, like Google or the government, text a code to your mobile phone when logging in. That might be visible on my mobile phone’s lockscreen, or my SIM card could be cloned and used elsewhere. It’s much better than having nothing at all, of course: but it’s not quite as secure.
If you’re storing your 2FA code using Google Authenticator or Authy on your phone, and your password is saved on your phone, then you’ve no two-factor authentication anyway. Both are being stored on the same device, just like your password manager would.
Lose your phone with Google Authenticator installed, and you lose your codes. If you change phones, you can manually transfer those codes these days, assuming that you still have access to your old phone, but it’s a monumental hassle to switch otherwise.
What’s definitely less safe
Just using a username/password.
There is, undoubtedly, a small security tradeoff with storing your TOTP codes alongside your passwords in your password manager. However, storing them there a) makes them easier to use (CTRL+L, CTRL+V as above); b) makes them always backed up and available to you; c) is always better than not using TOTP at all.
If you’ve ever removed TOTP access from one of your accounts because it had turned into a massive hassle to sign in, then that’s the time you should consider adding the code to your password manager instead.
Good security is always a tradeoff with usability. Ideally, you’d carry your passport around with you, and go into the bank for them to check your identity with a long set of passwords and physical keys. In reality, we use a piece of plastic and a four-figure PIN.
What I’d recommend
- Use a good password manager. Bitwarden’s free, though to get the TOTP functions, you need to spend $10 a year. (Do that).
- Set a decent password for your password manager, then
- Buy two USB authentication keys (about $30 each, but get at least one good sturdy one that’ll last). Set up physical-only 2FA access to that password manager. Have those physical keys as the only 2FA access method. Ensure one is always with you, and another is in a safe place.
- Consider your device security, and make a pragmatic choice about how you log in to your password manager. “Best” would be to require your physical key every time, and for it to log you out automatically. The default is more realistic, which requires your physical key the first time you set it up on a new machine, and your password from thereon in.
- You can even now get away with never clicking that “remember me” checkbox when logging-in. That’s got to be better for your security too!
The bottom line
It’s always better to use TOTP codes than to not use them. Anything that helps you use them more often is a good thing.
Keep your password manager secure, and you will massively benefit from backups of your TOTP codes and integration into your login.
1Password has written a good long article on storing TOTP codes in their password app, and the security tradeoffs that come from that.