Day 2: Enable Two-Factor Authentication (2FA)

Why 2FA is Essential

Even with a strong password, hackers can still gain access through phishing, data breaches, or credential stuffing attacks. Two-Factor Authentication (2FA) adds an extra layer of security by requiring a second step to log in—usually a code from an app or hardware key.

🔹 Use an authentication app instead of SMS where possible—SMS codes can be intercepted and senders impersonated. They’re much more easily compromised.

Step 1: Identify Accounts That Support 2FA

1. Use Bitwarden Reports
   • Open Bitwarden (on the web) and go to Reports.
   • Use the Inactive Two-Step Login report to see which saved accounts support 2FA but don’t have it enabled.
   • Prioritize setting up 2FA for email, banking, cloud storage, and social media accounts.
2. Check 2FA Directory to find services that support 2FA and their recommended methods.

Step 2: Set Up 2FA for an Account

1. Go to the account’s security settings (usually under “Account Settings” → “Security”).
2. Find the 2FA or Two-Step Verification option and choose “Authenticator App” (avoid SMS if possible). If it specifically names a brand, like “Google Authenticator”, it’s almost always generic. You don’t have to use the specific authenticator it says.
3. Scan the QR code using Bitwarden (see below) or a dedicated 2FA app like Authy.
4. Save backup codes securely (see below for advice on handling recovery codes).

Step 3: Use Bitwarden to Store & Auto-Fill 2FA Codes (TOTP)

Bitwarden can store and generate Time-Based One-Time Passwords (TOTP) so you don’t need a separate authenticator app.

How to Enable Bitwarden TOTP

1. Go to the two-step verification page of the service and find the QR Code to be scanned.
2. Open the Bitwarden extension and edit the login entry for the relevant account.
3. Find the “Authenticator Key (TOTP)” field.
4. Scan the QR code directly from the screen using Bitwarden’s camera icon or copy and paste the secret key (a long alphanumeric string on the page, probably beneath the QR code).
5. Bitwarden will now generate 6-digit 2FA codes for that account. You will most likely be asked to enter one to complete the enrollment process.
6. Next time you log in, Bitwarden automatically copies the code when you log in. You only need to paste into the Verification field, and the 6-digit pin should be pasted. If, for some reason, that doesn’t work, you can click on “Copy Verification Code” from the site entry in the Bitwarden extension.

Step 4: Add 2FA to Bitwarden Itself

To protect your Bitwarden vault, enable 2FA on your Bitwarden account:

1. Log into your Bitwarden web vault at https://vault.bitwarden.eu.
2. Click on your profile in the top-right corner and go to Account Settings → Security → Two-step Login.
3. Choose an authentication method:
   • Authenticator App (Recommended) – Use Bitwarden Authenticator specifically for this purpose.
   • Email - You can configure Bitwarden to send you a code via email to enter.
   • Yubikey The gold standard. I’m seeing if I can find a good discount on getting several of these. IF I can, we can set this up in Wexford
4. Save backup codes securely. You don’t want these in Bitwarden because they are related to your gaining access to Bitwarden. Print them and store them securely at home.
5. Test logging in to ensure 2FA is working correctly.

Handling Recovery Codes Safely

Many services provide backup recovery codes in case you lose access to your 2FA method. Keep them secure:

• It is fine to Save them in Bitwarden under the “Notes” section of the login entry.
• You may, alternatively, print and store them securely in a safe place.
• Do not save them in plain text on your phone or cloud storage.

Consider moving from Google Authenticator to Bitwarden

🔹 Avoid using Google Authenticator if you aren’t already—it lacks cloud backup, meaning if you lose your phone, you lose access to your accounts. It also sends a lot more information to Google than is necessary to carry out its function.

If you currently use Google Authenticator, you can migrate to Bitwarden:

1. Disable 2FA on each account where you use Google Authenticator.
2. Re-enable 2FA and scan the QR code using Bitwarden instead.
3. Confirm the new TOTP code works before deleting the old one.

Next Steps

Tomorrow’s task will focus on checking for leaked passwords to ensure your credentials remain safe.

✅ Action for Today: Enable 2FA on at least three important accounts (email, banking, cloud storage, or social media) and save backup codes securely.

---

🔒 Secure every step. One login at a time!