I'm not sure that I can trust Bitwarden with my TOTP codes anymore

I’ve used Bitwarden as my password manager for a while now. And I’ve been very happy with it.

I use a self-hosted instance, kept up to date. And I use it daily, multiple times a day. It is Just. So. Convenient.

I paid for an individual licence, mainly for the premium feature of TOTP codes. I like FOSS to be financially sustainable, and I am happy to pay towards that.

Then, so Sandra could use it too, I upgraded to a organisational licence. Safe, secure, family password sharing. Excellent.

Don’t store TOTP seeds alongside username and password!

There’s definitely a trade-off here, in terms of the security implications of storing TOTPs in the same place as passwords.

I was comfortable with this: wherever I can, I use WebAuthn instead, and I figured that the convenience of having my TOTP codes inside my password manager (which is behind WebAuthn itself, as well as requiring a complex passcode), and having them in sync across numerous devices, exceeded the security benefit of using a separate app or password manager, or trying to stuff them all onto multiple (for resiliency) YubiKeys.

Well, I did.

Right now, I am questioning whether it is sensible for me to use Bitwarden for TOTP.


Bitwarden locked me out of my TOTP codes, with no notice

I got an email earlier today:

Licence Expired: This email is to notify you that your Bitwarden organization license for [organisation name] has expired and must be updated for continued use.

Why? I know that I renewed my licence a few months back, and that I had plenty of time to run.

So I logged into the Bitwarden website (thankfully, I use WebAuthn for that; if I relied on TOTP for MFA, I may well have been utterly screwed at this point?), and, sure enough, it shows that my licence still has months on it.

Why then, in my instance of Bitwarden (which shows exactly the same in terms of the licence expiry date), is the organisation suspended? I’ve no idea.

But the impact of the organisation being suspended is that Bitwarden locked me out of my TOTP codes.

It makes sense, in that TOTP codes are a premium feature in Bitwarden (and one I was happy to pay for), and, seemingly lacking the premium licence, I no longer had access to that feature.

But I did have a valid licence.

I tried what seemed like the most sensible thing: I uploaded the licence file again. And it worked: organisation suspended. Same licence file, same expiry date. Critically, it unsuspended the organisation.

But I still couldn’t access my TOTP codes. After I forced a sync in Bitwarden in the client, I could access my TOTP codes again. The “suspended” indicator disappeared.

(I haven’t re-synced in one of my Bitwarden clients, and I am still locked out. This was my sanity check that I wasn’t just somehow confused about this.)

I am now very nervous about relying on Bitwarden for storing my TOTP codes.

This bothers me. It has happened once, and I do not understand why. I had a valid licence. The web UI of both my self-hosted instance and the Bitwarden official instance showed that.

Yet Bitwarden still locked me out of my data.

I don’t have an immediate backup plan, as I wasn’t intending on moving away from Bitwarden. But I will absolutely be looking for an alternative Free software solution, which keeps TOTP codes in sync across multiple devices, as I am very nervous about relying on Bitwarden for this.

Why was there no advance notification or grace period?

I understand why Bitwarden charges for this as a premium feature. As I say, I like FOSS to be financially sustainable, so I get it.

But today was the first time I received an email, and I was locked out today. No 7 day grace period. Not even 24 hours. That, I don’t understand. It just seems hostile to users, and a dangerous “feature” in a password manager.

Bitwarden support

I’ve asked Bitwarden’s support (via a web contact form, sigh) to help me understand what happened.

If I’ve done something wrong, I’ll happily update this post: it might help others from doing the same (or me from doing it again.)

And if I learn anything reassuring (or not!), I’ll add an update for other concerned users too.

Update: First response from Bitwarden

I got a response from Bitwarden a mere 5 minutes after opening the ticket. That is very impressive.

Unfortunately they clearly hadn’t read my request, and so replied with what looks like a canned response, telling me how to log in and update the licence, even though I had said that I had already fixed it, and that I wanted to know why it happened because I was concerned about it happening again.

So fast, but a few minutes longer spent actually understanding the request and responding to that would have been better.

Update: Second response from Bitwarden

There was an update that was released yesterday that updated new licenses to version 12. This caused some users’ instances that were still on version 11 to have issues. Our engineers have since fixed it.

Oh well. Bugs happen.

It is a real shame that Bitwarden didn’t let users know of this bug (there’s nothing on their fedi profile, for example), and that it resulted in an instant lock-out, but such is life…

Update: It happened again today

Exactly the same issue. An email, on the dot of 12:30, locking me out of my TOTP codes.

I emailed Bitwarden’s support again, and again they said “sorry; it was a bug that is fixed”.

They asked me to update my instance (it was already updated, as I’d said in the email (sigh for templated responses)), and then download the licence again and add it back again.

Let’s hope it doesn’t happen again tomorrow. (If there’s no further update to this blog post, assume that it didn’t happen again tomorrow.

But it looks like a move to vaultwarden might be on the cards anyway.