Well, they’re not a bad thing per se, it’s just important to remember that by doing that you are essentially delegating the access security (including any means of MFA) from the target website to the password manager. I.e., instead of inputting password and 2FA code for example.com, you have to input your password and 2FA code for the password manager itself. This has the same security guarantees, so long as you don’t set your vault to—for example—never lock automatically.
For the case of passkeys, using Bitwarden, even with 2FA does reduce the security level in my eyes somewhat, since I’d argue passkeys to be a more secure measure than password + OTP. Unless, of course, you use a different passkey to authenticate yourself to Bitwarden.
TLDR; be careful about putting everything inside Bitwarden. You’ll be fine if you make sure to protect your password manager adequately, but if you put OTP secrets (or passkeys) for other website inside Bitwarden AND only use password authentication for Bitwarden without any MFA, then you are effectively reducing your MFA back to a single factor (the Bitwarden password).
I’m afraid user authentication on the internet is broken beyond salvation. It’s already complex enough to grasp fully for tech-savvy people, meanwhile we’ve taught the general population to use password123 for all their accounts and write it on a post-it for a good measure.
Very good point. I have Bitwarden set up as a passkey for at least one account. I should remove that. 👍
Well, they’re not a bad thing per se, it’s just important to remember that by doing that you are essentially delegating the access security (including any means of MFA) from the target website to the password manager. I.e., instead of inputting password and 2FA code for example.com, you have to input your password and 2FA code for the password manager itself. This has the same security guarantees, so long as you don’t set your vault to—for example—never lock automatically.
For the case of passkeys, using Bitwarden, even with 2FA does reduce the security level in my eyes somewhat, since I’d argue passkeys to be a more secure measure than password + OTP. Unless, of course, you use a different passkey to authenticate yourself to Bitwarden.
TLDR; be careful about putting everything inside Bitwarden. You’ll be fine if you make sure to protect your password manager adequately, but if you put OTP secrets (or passkeys) for other website inside Bitwarden AND only use password authentication for Bitwarden without any MFA, then you are effectively reducing your MFA back to a single factor (the Bitwarden password).
I’m afraid user authentication on the internet is broken beyond salvation. It’s already complex enough to grasp fully for tech-savvy people, meanwhile we’ve taught the general population to use password123 for all their accounts and write it on a post-it for a good measure.