Two-Factor Authentication (2FA)

Plain-English definition

Two-factor authentication (2FA) adds a second verification step to your login. The logic: a password can be stolen (phished, breached, guessed); a physical device or biometric cannot be stolen remotely. 2FA requires both.

The three categories:

1. Something you know — your password or master password
2. Something you have — a phone running an authenticator app, a hardware key like a YubiKey
3. Something you are — biometrics (Touch ID, Face ID, fingerprint)

2FA typically combines categories 1 and 2: you enter your password, then provide a code from your phone or press a hardware key.

Types of 2FA supported by password managers

TOTP (Time-based One-Time Password): The most common form. You scan a QR code with an authenticator app (Google Authenticator, Authy, the built-in 2FA in Bitwarden Premium or 1Password). The app generates a 6-digit code that changes every 30 seconds. To log in, you enter your master password + the current 6-digit code.

TOTP is supported by all credible password managers for their own account login. Bitwarden Premium and 1Password also let you store TOTP seeds inside the vault, functioning as a combined password manager + authenticator.

FIDO2/WebAuthn (Hardware keys and passkeys): A physical hardware key (YubiKey, Google Titan Key) or a passkey on your device authenticates you cryptographically. More phishing-resistant than TOTP — a YubiKey won’t authenticate to a phishing site that just looks like your password manager’s login page.

Supported by: Bitwarden (Premium and above), 1Password, Dashlane Business, NordPass.

Email-based 2FA: A code sent to your email. Less secure than TOTP (your email account becomes the attack target) but better than nothing. Supported by LastPass and some others as a fallback.

Biometric: Touch ID, Face ID, Windows Hello — unlock the vault without typing the master password, using device-level biometric authentication. This is a convenience feature, not a security one — your biometric is used to access a locally-stored copy of the key, not to authenticate to the server.

Why 2FA on your password manager is critical

Your password manager vault is the master key to every account you own. If an attacker gets your master password (from phishing, a keylogger, or a breach where you reused it), 2FA is the difference between “they have my master password but can’t get into my vault” and “they have access to every account I own.”

Common mistake: using your password manager’s built-in TOTP feature to store the 2FA seed for the password manager itself. If the vault is the only way to access your 2FA codes and the vault requires 2FA to open, you have a circular dependency. Keep your password manager’s 2FA seed in a separate authenticator app, printed backup code, or hardware key.

2FA support across managers

TOTP migration — the hidden problem

When you switch password managers, your TOTP seeds (the data that generates 2FA codes) may or may not transfer. This is the Gate 20 insight most comparison sites miss entirely.

If your old manager exports TOTP seeds and your new manager imports them, you keep all your 2FA enrollments. If it doesn’t — as happens with the LastPass → Bitwarden migration — you must re-enrol 2FA manually at every service that uses it. For users with 50+ 2FA enrollments, this is a 2-3 hour manual process.

See the migration fidelity matrix for the full breakdown across all major migration paths.