[BonusPlay]

What's the point of having your 2FA codes synchronized across all your devices?

Isn't it in the name "TWO FACTOR"? It's supposed to be a separate device and ability to "across devices" comes as an anti-feature for me.

1) If you're not using password manager, then you're probably using same password everywhere, including your 2FA app.

2) If you're storing your 2FA codes in your password manager, then it's not really a 2nd factor. It helps against password leaks from services, not from a password manager leak.

Ability to synchronize encrypted backup is a different story.

[rangerelf]

It's "Two Factor Authentication", not "Second Factor On A Single Device You Always Have On Your Person Authentication".

That second factor needs to be separate from the originating authenticating service, not that it has to be on a single device hidden away kept in a safe, or on your wrist, or in your pocket. It could be a single device [a server] running bitwarden and you're viewing it through a browser on your <whatever>.

Not everyone wants to follow every single recommendation from a data security perspective, and it becomes an anti-pattern when laymen start using workarounds to not have to comply with the safety recommendation of the week.

[kstrauser]

I mentioned all this in another story, but:

Having it integrated with a password manager is less secure than having it as a separate app in a separate device, but it makes it so much easier for the average person that they're more likely to actually use it.

In a vacuum, yes, you're right. It's not as secure this way. I wouldn't use that for something hyper-sensitive like classified systems. But as a system, "less secure but widely used" beats "more secure but most people avoid using it whenever possible".

It's like with the NIST recommendation against regularly rotating passwords. In an ideal world, it's a great ideal to require new passwords frequently. In this world, it only makes people pick bad passwords and append the date or serial number to it. As a system, it's more secure to require strong passwords and then leave them alone until/unless you suspect they've been compromised.

[Spooky23]

It’s really two step auth. Basically the point is that it defeats password spray attacks.

Higher assurance authenticators need more than TOTP. Usually that means adding a knowledge component (ie pin), challenge/response, a physical token, biometric or all of the above.

[W3cUYxYwmXb5c]

It means you are providing two factors, not necessarily that you only have two factors.

There are benefits to this. I've left my phone at work, and would have been SOL, except I have a tablet that never leaves my home which can also provide my second factor.

[dotancohen]

I recently had this experience when my phone had issues. I was foresighted enough to have Aegis installed on my E-Ink reader.