Initial thoughts on storing TOTP seeds on YubiKeys instead of in Bitwarden

I wrote last week about woes with a bug in a recent update of Bitwarden, which locked me out of my TOTP codes. I decided that, while I was comfortable storing my TOTP1 codes in my password manager (itself requiring MFA for new devices), I was no longer comfortable with Bitwarden.

But I got a lot of feedback saying that I’d made a bad choice to store my TOTP codes in my password manager.

I’ve got some YubiKeys (for WebAuthn), and I could use those… but I wonder if it is worthwhile.

(I could use a separate piece of software for storing TOTP codes. But I’d need to find options that work across platform (iOS and macOS; Android and Linux), and keep everything in sync, and secure. I haven’t ruled this out.)

A YubiKey can store only 32 TOTP seeds

I have more than 32 TOTP seeds.

This isn’t a major problem, as I reason that I could store my most important TOTP seeds on my YubiKeys, and keep the others in my password manager or in some other software. It doesn’t have to be all-or-nothing.

You need to set up each TOTP seeds on each YubiKey, manually

There is no sync for YubiKeys.

I use a primary key, a secondary key, and a backup key, which I keep offsite.

So that means adding each TOTP seed three times, manually, once to each key.

Want to add a new TOTP seed? I need to get hold of all my keys, and add it to each. So a trip offsite, to get the backup key.

Here’s where storing the TOTP seeds in Bitwarden/vaultwarden comes into its own: it keeps everything in sync. A new device just requires a server address, username, password, and MFA and everything appears a second or two later.

If I only kept my most important seeds on the YubiKey, this might not be such a problem - I’m unlikely to have a particularly important new seed too often.

I’d need to find a secure way of storing your TOTP seeds in an accessible form

To set up a YubiKey, I need the TOTP seed.

You cannot view or export seeds from a YubiKey. You can view the codes generated from a seed, and delete the seed, but you can’t get access to the underlying seed (as far as I can tell; perhaps I am wrong)?

Assuming that I wanted the ability to add a new YubiKey into the mix in the future, I need to keep the seeds somewhere, in accessible form.

And if you store the TOTP seeds in my password manager, that rather defaults the point of also keeping them on a YubiKey.

WebAuthn at least doesn’t have this particular storage issue, although it has the same amount of pain when it comes to keeping multiple keys in sync - you need to log into each account with an already-enabled YubiKey, and then add the new one.

I guess I could say that, when I need to add a new key, I should log into the account in question, set up MFA via TOTP again (and so generate a new seed), and then replace the existing seed on all my devices. It probably won’t happen too often, but if I’ve filled all 32 slots, or even just some of them, it’s still a pain.

There are a couple of “gotchas” in Yubico’s “Authenticator”

Not major issues, but things to be aware of.

“Issuer” is optional. Except when it is not

The Yubico Authenticator UI says that “Issuer” is optional.

It is only optional if the TOTP seed you are importing does not set an Issuer.

If it does, you need to include it.

An extra step to “require touch”

The Yubico Authenticator doesn’t “require touch” by default.

It looks like it requires touch by default, but it does not.

You have to click that button, each time.

Even though the other UI elements show the default settings, rather than being a button that you need to click to effect a setting, this one is different.

If you only plug in your YubiKey to use it, and then unplug it, this might not be a concern. But if you leave it plugged in the whole time, setting this by default would seem sensible to me.

So I’m not sure…

There are certainly trade-offs, in terms of usability and maintenance, in storing my TOTP seeds in multiple YubiKeys. But perhaps not insurmountable.

I don’t have an answer to “storing the seeds somewhere else securely, to provision future YubiKeys”. But that’s another moving part.

I am struggling to conceptualise just how risky it is for me to keep everything together in Bitwarden.

What is the likelihood that someone wants to put enough resources into attacking me remotely? What is their likelihood of success?

Does switching to YubiKeys for some - my most important - TOTP seeds - improve my security in a way which justifies the additional inconvenience.

I’ve not lost a YubiKey yet, but if I did, I’d be locked out of a lot of (important) stuff, and anyone who found my YubiKey would have access to the most important TOTP codes that I have (but not the username and password, or the identity of the service in question).


  1. Time-based One Time Passwords (RFC 6238↩︎