--- layout: article title: Field Guide to Two-Step Login categories: [two-step-login] featured: false popular: false hidden: false tags: [two-step login, 2fa, two factor authentication] order: 01 --- ## What is Two-Step Login? Two-step Login (also called *Two-factor Authentication* or *2FA*) is an increasingly common security technique used by websites and apps to protect your sensitive data. Websites that use Two-Step Login will require you to verify your identity by entering an additional "token" (also called *Verification Code* or *One-time Password (OTP*)) besides Username and Password, typically retrieved from a different device. Without physical access to the token from your **Secondary Device**, a malicious actor would be unable to access the Website, even if they discover your Username and Password: {% image two-step/field-guide/two-step-login-basic-setup.png Basic Two-step Login flow %} Commonly, websites or apps with sensitive data (for example, your online bank account) will attempt verify your identity outside of the login screen by: - Sending a token in an SMS / Text message to the mobile device on-file. - Asking for a token generated by an Authenticator app (for example, Authy) on your mobile device. - Looking for a token from a physical security key (for example, Yubikey). ### How should I use Two-step Login? Security often involves a tradeoff between protection and convenience, so ultimately it's up to you! Generally, the two most critical ways to use Two-step Login are: 1. [**To Secure Bitwarden**](#securing-bitwarden) Bitwarden supports a variety of Two-step Login methods that you can use to secure Vault data. Enabling Two-step Login will require you to complete a secondary step each time you **Log In**, in addition to entering your Master Password. 2. [**To Secure Important Websites**](#securing-important-websites) There are a variety of Two-step Login solutions you can use to verify your identity after logging in to a website with a Bitwarden Vault item. In this article we'll discuss using both Authy and **Bitwarden's Built-in Authenticator** for Two-step Login. ## Securing Bitwarden Since your Password Manager stores all your logins, we highly recommend that you secure it with Two-step Login. Doing so protects *all* your logins by preventing a malicious actor from accessing your Vault, even if they discover your Master Password. Enabling Two-step Login will require you to complete a secondary step each time you **Log In**, in addition to entering your Master Password. You won't need to complete your secondary step to Unlock your Vault. {% image two-step/field-guide/two-step-login-bitwarden.png Two-step Login to access Bitwarden %} **Bitwarden offers several Two-step Login methods for free,** including: - via an Authenticator app (for example, Authy or Google Authenticator) - via Email **For Premium users**, Bitwarden offers several advanced Two-step Login methods: - Duo Security with Duo Push, SMS, phone call, and security keys - YubiKey (any 4/5 series device or YubiKey NEO/NFC) - FIDO (any FIDO2 WebAuthn certified key) To learn more about your options, and for help setting up any method, see [Two-step Login Methods]({% link _articles/two-step-login/setup-two-step-login.md %}). You can enable any number of methods you'd like, for more information see [Using Multiple Two-step Login Methods]({% link _articles/two-step-login/setup-two-step-login.md %}). ## Securing Important Websites Bitwarden probably isn't the only website or app you use that has Two-step Login options, which is especially useful for websites that store sensitive information (for example, Credit Card or Bank Account numbers). Most websites with a Two-step Login option will locate it in the **Settings**, **Security**, or **Privacy** menus. Activating Two-step Login will typically open a QR code, like this one from Reddit: {% image two-step/field-guide/reddit-2fa-setup.png %} Scanning this code with an authenticator app will enable the app to generate rotating 6-digit tokens you can use to verify your identity, like this one generated by Authy: {% image two-step/field-guide/reddit-token.png %} ### Use Authy To setup Two-step Login for Reddit using Authy, tap the **Add Account** button and scan the QR code presented by your website or app. Scanning the QR code will generate your 6-digit token. Enter this code in the Verification Code input box to finish setting up Two-step Login with Authy. {% image two-step/field-guide/two-step-login-bitwarden-authy-reddit.png Two-step Login using Authy %} Typically, you will be given the option to download **Recovery Codes**. Downloading Recovery Codes is critical to prevent you from losing access to your Two-step Login tokens, even if you lose the device Authy is installed on. Next time you login to Reddit, you'll be required to verify your identity by entering a Verification Code from Authy. Verification Codes rotate every 30 seconds, so it will be impossible for a malicious actor to discover your code without physical access to your device. {% callout info %} Authy is Bitwarden's recommended authenticator app because it includes Authenticator Backups for any device. Backups prevent you from losing access to your Two-step Login tokens, even if you lose the device Authy is installed on. Flip the **Authenticator Backups** toggle on the **Accounts** screen of the Authy app to use this feature. Other authenticator apps include [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en){:target="_blank"} and [FreeOTP](https://freeotp.github.io/){:target="_blank"}, and *as of May 7, 2020 Google Authenticator includes Verification Code portability across Android devices.* {% endcallout %} ### Use Bitwarden Authenticator **As an alternative to Authy,** Bitwarden offers a built-in authenticator for Premium users, including members of Paid Organizations (Families, Teams, or Enterprise). Bitwarden for iOS and Android can scan QR codes and generate 6-digit tokens just like other authenticator apps. Using Bitwarden Authenticator to secure a website will save a rotating 6-digit token with that login Vault item. You can also manually save your verification code secret to a Vault item from any Bitwarden app. {% image two-step/field-guide/two-step-login-bitwarden-authenticator.png Two-step Login using Bitwarden %} For more help setting up and using the Bitwarden Authenticator, see [Bitwarden Authenticator]({% link _articles/features/authenticator-keys.md %}). #### Why Use Bitwarden Authenticator? Understandably, some users are skeptical about using Bitwarden for token authentication. Remember, security often involves a tradeoff between protection and convenience, so the best solution is up to you. Generally, folks that use Bitwarden Authenticator do so for two reasons: 1. **Convenience** Bitwarden Mobile apps and Browser Extensions provide Auto-fill capabilities for verification codes. When you use Bitwarden to Auto-fill a Username and Password, it will automatically copy the verification code to your clipboard for easy pasting. If you're using a Browser Extension, you can chain together the [Login Keyboard Shortcut](https://bitwarden.com/help/article/auto-fill-browser/#keyboard-shortcuts-hot-keys) (Windows: `Ctrl + Shift + L` / macOS: `Cmd + Shift + L` ), following by the Paste shortcut (Windows: `Ctrl + V` / macOS: `Cmd + V`) for lightning-fast logins. 2. **Sharing** For Organizations, a large benefit of using Bitwarden Authenticator for token verification is the ability to share the token generation among team members. This allows Organizations to protect their accounts with Two-step Login without sacrificing the ability for multiple users to access that account or requiring coordination between two employees to share tokens in an unsafe way. ## Stay Safe with Two-step Login Whichever path you choose, remember the basics: - [Secure Bitwarden with Two-step Login](#securing-bitwarden) - [Secure Important Websites with Two-step Login](#securing-important-websites) And now that you're a Two-step Login Expert, we recommend that you: - [Signup for a Bitwarden Account](https://vault.bitwarden.com/#/register) - [Setup Two-step Login]({% link _articles/two-step-login/setup-two-step-login.md %}) - [Get Premium for access to advanced Two-step Login methods](https://vault.bitwarden.com/#/?premium=purchase) - [Setup the Bitwarden Authenticator]({% link _articles/features/authenticator-keys.md %}) - [Customize your Vault Timeout behavior]({% link _articles/account/vault-timeout.md %}) Here’s to many happy logins!