An alternative is Ente Auth: https://news.ycombinator.com/item?id=40883839
Edit: Since there seems to be some confusion, this submission is about Bitwarden Authenticator, a free mobile app for TOTP, not about the Bitwarden password manager, which does support syncing, and which in the paid Premium plan also includes an authenticator.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
0: https://bitwarden.com/products/authenticator/#:~:text=New%20... - "New features on the roadmap include import, syncing to Bitwarden accounts, push-based 2FA, and account recovery"
1: https://bitwarden.com/pricing/#:~:text=Integrated%20Authenti...
I understand what you’re saying here, but then having a password manager and a 2FA app on the same phone is the exact same corruption.
If your threat model involves “don’t have your 2FA codes on your desktop”, it must also include “don’t have your passwords on your phone”.
If you can just clone an OTP to as many devices as you want then I'd argue it's not really two-factor. The mechanism used to sync is the same one a malicious actor would use to clone all your OTP entries and gain access to your accounts.
Not only does it unnecessarily jar me out of my memorized places to click, but it also just takes 2 clicks to copy a password instead of 1. Seems like a small deal but it is genuinely a bad UI.
Before it was two clicks to edit. Plus it would lose context if the popup was closed.
So do this: go to setting (lower right coner) -> appearance -> set width to extra wide, check compact mode, check show quick actions.
that should do it.
I'm sick of the dance of switching apps a few times to try to 'wake up' Bitwarden when I'm staring at a login page in my browser with no Bitwarden prompt anywhere, closing and reopening the browser, manually opening Bitwarden, switching apps a few times, then giving up and manually copying and pasting my password.
The only good thing is that I was finally able to switch away from Chrome on mobile, but for a high bad usability price.
At least it's not defaulting to their own cloud service backend. This has always been my problem with these types of apps. Although, I'm not sure I fully understand the above description. I'm guessing if you have an iPhone with iCloud backup enabled, it means data is backed up to iCloud.
When syncing is added it would actually be something to consider.
In that case, what would be the advantage over just using Bitwarden's native TOTP support?
If they used their own cloud backend I would be a lot more interested. They could even offer to store it in their cloud end-to-end encrypted (making it my responsibility to keep the password safe). That would give me similar exposure as their password manager, which I'm already using.
Google Authenticator had the fun idea to opt people into unencrypted (beyond whatever regular google drive files have) cloud backup of 2fa secrets, and it's been exploited in the ways you'd expect.
The regular complaints here about iMessage not having good E2EE is a specific exception written into the security policy.
Corrections welcome.
[1]: https://support.apple.com/guide/security/security-of-icloud-...
I think this is the better link. Advanced Data Protection is end to end encrypted, without the key being backed up to Apple’s servers.
I'd love to know what others do to maximise both convenience and security.
For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.
Depends on what failure mode you're talking about.
If you mean "I won't be able to access things when their service is down", that's not entirely accurate, because the database is synced to clients, so you just can't connect a new client or add/update entries, but existing entries are accessible.
If you mean "everything will be compromised if their service is hacked", that's not quite accurate either, because the encryption key to the database isn't stored on their servers (things are only ever decrypted on the client).
If you mean "any compromise is all/nothing", this is kindof true, but can be mitigated by keeping separate vaults, so that your most sensitive items are not kept with the ones you need routinely.
Or maybe you're thinking of some other failure mode ...
The problem with buying into one entity for a bunch of these services is they eventually find a way to sour their mission or worse, bend the knee to those that seek to exploit us, leaving you with the increasingly arduous task of migrating to another competitive service.
That is entirely accurate. During their outage a few weeks ago (the first I've experienced in years of using it TBF), I wasn't able to get passwords from my browser extension, Android app, or Mac app. Maybe in theory it's not supposed to work that way, but in practice it got stuck when it couldn't reach the server and went back to the "Enter master password" page (IIRC).
I tend to use Aegis for the two services' TOTP codes that I don't put into BitWarden.
This standalone app is available for free, can be used without an account, and the TOTP codes are only stored locally (or through your phone's native backup system).
Some people dislike the idea of storing TOTP codes in the same location as passwords, so it seems this helps provide those people with that separation, while still using Bitwarden products (which tbh is cool with me - a lot of the other TOTP apps on the appstores suck).
And many organizations/companies have policy against that although I don't know how can anyone enforce that.
if you selfhost (eg with vaultwarden) you get all the pay features for free
I can't find any.
I've been lazily (in the "lazy evaluation" sense, not the work ethic sense) moving my 2FA from a mobile app into Bitwarden precisely because it's way more annoying to have to take my phone out and manually enter a code from there v when logging into things (especially since lately I've noticed that I seem to get errors when the code still has a few seconds left in the UI as being valid after I've already gotten the response from the server not accepting it; I asumed that this might be due to some issue with my phone itself, but the fact that it still happens with the codes being stored in Bitwarden and visible on the same screen where I'm logging into makes me wonder if this is some new intentional thing sites are doing intentionally without regard to how weird an experience this will be for some people).
The main app's integrated TOTP functionality is nice for low impact services (e.g. I don't give a damn if my third Nintendo account gets overtaken). But there are more critical stuff I want an actual separate system, and this authenticator app would allow that. In particular it's free so creating a separate account would be fine.
The common sense of TOTP = your phone is to me problematic, and I feel it led to the situation we're in with Apple and Google...I have 3 computers I can use at any time, and will yell at the clouds every time I have to get my phone for some random stuff that can only happen in a mobile app.
Same way people are vehemently raging against kids having smartphones and ask for more kids protection online, while most 2FA services will default to a phone auth (TOTP or SMS, or dedicated app). And more than anything, I wish people could lose/crush/obliviate phones with less impact on their life if they want to, it doesn't need to be the key to one's digital life.
I _very narrowly_ dodged being locked in to authy by having tokens in there that couldn't be exported, and authy is a steaming pile of... Never again will I be foolish enough to not maintain ownership of the actual 2fa tokens my codes are generated from.
There was a cli tool to export authy codes, but there was a comment here that the APIs it used no longer works
Speaking of escaping Authy, good luck with that. I had to use their desktop app and api to pull my data. I read in another comment that they've recently closed that api. So, you might be stuck migrating each account manually. That bullshit alone is worth the trouble of moving.
Any suggestions for something I can host at home? It needs mac, linux and ios clients and (unlike bitwarden) must gracefully handle the server being unavailable.
Given the catastrophic outcomes associated with corruption of the DB, I can’t imagine trusting the keepassxc approach.
How can they possibly handle concurrent updates to the password database correctly across that range of cloud filesystem products? Each has different semantics. Does someone fuzz test the whole stack, at least? For which services?
I do wonder about attack surface / operational complexity though. It syncs to three clouds and there is a postgres database, apparently.
Operating that myself reliably seems hard. I’m not looking for a hobby project and LastPass is the Last cloud hosted e2ee Password manager I will ever trust.
It supports:
- Local encrypted backups. You can sync these to where ever you like on your own terms. I automated uploading mine to my local NextCloud instance.
- Importing from other authenticator apps, so you can easily migrate.
- Exporting entries so that you are not vendor locked (cough cough Authy).
- Customization.
- No mandatory cloud bs, LLM integration, tracking, ...
It has been a feature request for close to 6 years now: https://community.bitwarden.com/t/allow-attachments-to-be-ex...
Edit: I realize you are probably using bitwarden directly, in which case don’t you trust them to safeguard your data?
ps: if it’s just ssh keys, just store them as key value pairs? I haven’t kept ssh keys for a long time thanks to tailscale ssh…
Yes i use bitwarden directly, no self hosting. I do trust them keep my data safe (although i also trusted LastPass at some point, big mistake) but why not also keep a local copy, just in case. The type of data you store in bitwarden is worth the hassle and if Bitwarden Inc. ever gets into big trouble suddenly you'll be glad to have the backup.
We have modern authentication called WebAuthn, supported by Bitwarden proper as well as physical security keys and iOS’s native password manager. Use it.
WebAuthN is of course better, but it's still a minority that supports it.
I haven’t really be paying much attention to Bitwarden lately, but I’ve heard they’ve taken vc/got bought out or something. So for those more in the know, is it time to start migrating? Or does Bitwarden still seem like it’s on a good path?
yet I wouldn't use their 2fa app, just because if they get hacked at some point I don't want passwords and 2FA stored with the same company
doing great with authy in that front
I find keypassxc which I use for managing passwords and now TOTP to be the best option for me.
I still use Authy on mobile but having an offline backup is great.
I use the app on both PC (chromium extension) and phone, and I'm happy about it.
Extremely happy with it.
---
### TOPT ANTI-FAQ
1. Want a guide to implementing time-based passwords in your app? Here you go: https://www.freecodecamp.org/news/how-time-based-one-time-pa...
2. What was that? You want to do it in Typescript? Okay, here you go: https://www.npmjs.com/search?q=totp
3. Want to do it in Python? Unfortunately, you only have 275 choices: https://pypi.org/search/?q=totp&o=-created
4. How about on an Arduino? https://github.com/lucadentella/TOTP-Arduino
5. Fuck it, we'll do it ~~live~~ in Emacs!https://www.masteringemacs.org/article/securely-generating-t...
Y'all get the point by now, I'm sure.
---
[0]: https://www.gadgetany.com/news/now-the-commodore-64-is-a-two...
[1]: "Anti"-FAQ, because I'd like to discourage people from wasting brain cycles on thinking that a time-based authenticator app is something worth announcing.
Zero trust, and that it slides auth horizontally to other untrusted flows...
Like literally walk an LLM through my data path?
