It's Android-only though. A cross-platform (Android/iOS/Linux/Mac/Windows), open-source (AGPLv3), self-hostable (Docker image) alternative (with migrations, E2EE backups/syncing, and JSON export as well) is Ente Auth: https://news.ycombinator.com/item?id=40883839
I have used Bitwarden for a few years happily, but have been really annoyed at the UI changes in the chrome extension
Not only does it unnecessarily jar me out of my memorized places to click, but it also just takes 2 clicks to copy a password instead of 1. Seems like a small deal but it is genuinely a bad UI.
If you go to Settings -> Appearance and enable show quick actions, you can reenable the 1 click copy password again. Enabling compact mode and disabling animations also helps a lot.
Yes, but then you have to click the little "Fill" button. And if you enable "Click items to enable autofill on Vault view", you have to Rightclick -> View to edit stuff.
Edit: Since there seems to be some confusion, this submission is about Bitwarden Authenticator, a free mobile app for TOTP, not about the Bitwarden password manager, which does support syncing, and which in the paid Premium plan also includes an authenticator.
I've been using Authy for TOTP in conjunction with Bitwarden Premium for passwords.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
Just beware of the lock-in with Authy because they make it impossible to export your TOTP secrets for "security" reasons. There was a method to do it by running some code but they patched up those API endpoints recently.
I've done another round of research into Authy and I see what you mean. I was aware that some people don't like Authy because they object in principle to multi-device sync altogether, which I understand but am not willing to live with; I also knew that Twilio had been hacked before. But I hadn't thought so much about the lock-in and the elevated risk for getting locked out if Twilio goes kaput.
So, features that I want in a TOTP app:
* Backup to cloud. If all my devices are lost/destroyed at the same time, I want recovery to be possible using information I store offsite.
* Backups not stored to my own iCloud or Google Drive, which are frequently accessed from my own devices.
* Export of codes possible from the installed app so that if the vendor goes away I can migrate.
* Not published by Bitwarden. I'm happy with Bitwarden, but I would prefer that the vendor I use for TOTP be distinct from my password manager vendor.
I have a second yubikey which I keep in a safe and every time I set up the primary yubikey on an account I also make sure to enroll the backup one too. I'm not likely to have mine stolen so I don't keep the spare offsite, it's more insurance in case I lose it. I also have an airtag attached to the primary key for the same reason.
I was hoping that by enrolling the first key, the offsite backup would also be enrolled. Is that impossible? I don't want two distinct keys so much as I want two copies of the same key (akin to spare house keys).
If I'm unlucky enough to have a house fire (which has happened in my extended family), I would like it if my MFA access was not among the items irretrievably lost.
I got two Yubikeys but ended up never using them. I've also considered keeping the second one in a safety deposit box, but realized that that would defeat the purpose since you also need a key to access the safety deposit box.
I still have Google Authenticator on my phone, but I hadn't been using it. I see that you now must choose between using it "with an account", in which case your codes are saved "to your account", or using it without an account. I just installed Google Authenticator onto my tablet, selected that I would "continue as [Google Account]), and voila, there are all my codes.
I presume that if you use it "without an account", the codes are not backed up, although I'm not going to test that now.
I am curious what backed up "to your account" means. I'm often logged into Google on my laptop — is it possible to access the TOTP codes from there? If my laptop is hacked it would be a disaster, and I at least want to reduce the blast radius so that accounts requiring MFA are out of reach to the hacker unless they also hack my phone or tablet.
Please use 1Password, it syncs between everywhere you want and supports TOTP. When I log into LinkedIn, it only takes one click and it autofills and autosubmits everything, including TOTP.
I use this, it works great for when you're on a laptop and can't be bothered to pull out your phone to enter the 2FA code (because it works cross-platform on web, desktop, and mobile, all syncing together). Yes, technically this is a corruption of the principles of why you'd need 2FA in the first place, as the second factor is obviated when everything is on one device, but I find the risk acceptable, no one is going to hack into my laptop at home, and if they do, I have bigger things to worry about than 2FA.
I'm not sure that syncing is a feature that should exist. Once an OTP shared secret has been added to a device, it should be unretrievable, ideally stored in a security enclave.
If you can just clone an OTP to as many devices as you want then I'd argue it's not really two-factor. The mechanism used to sync is the same one a malicious actor would use to clone all your OTP entries and gain access to your accounts.
That’s fair. Can I have it backup sync to iCloud so I’d lose my phone I can get a new one? I think that’s a usability vs. security risk we’re gonna have to be okay with. People aren’t going to be able to have multiple devices.
> your accounts are only as secure as your iCloud account, which I wouldn't count on, and you've undermined the purpose of 2FA entirely
This is extreme. Uploading your 2FA to an encrypted cloud like iCloud widens your circle of trust. But it also increases convenience and utility.
I personally take the best of both worlds. A synced 2FA for most accounts. And a locked one for my critical ones, e.g. 1PW. If I couldn't sync any accounts I wouldn't bother turning on 2FA for most because the downside is low and, ultimately, probably someone else's problem to clean up.
> There's no way around this - 2FA needs to be bound to a single physical device if you want to benefit from it.
Depends what the benefit is.
From the PoV of my bank, the benefit is that people who use “Password123!” for all of their accounts don’t get their accounts trivially compromised.
From my PoV, the benefit of TOTP 2FA is that my password manager can fill it all in automatically rather than having to find my phone and type in SMS numbers manually. (As a non-iOS user - if you’re on iOS you can have your SMS 2FA codes put in automatically.)
That's nice in theory, but leaves you with significant risk of getting completely locked out of your account should you lose the device containing the OTP secret.
> In this initial release, your data will be backed up through the mobile operating system's backup services. Please make sure your device is turned on and configured for backups. Bitwarden Authenticator data is included in the OS backups and will be restored with them.
At least it's not defaulting to their own cloud service backend. This has always been my problem with these types of apps. Although, I'm not sure I fully understand the above description. I'm guessing if you have an iPhone with iCloud backup enabled, it means data is backed up to iCloud.
On my Android, what's the upside of using this instead of Google Authenticator if they both back up to the same place?
If they used their own cloud backend I would be a lot more interested. They could even offer to store it in their cloud end-to-end encrypted (making it my responsibility to keep the password safe). That would give me similar exposure as their password manager, which I'm already using.
Kinda worrying that it doesn't mention anything about how that is secured.
Google Authenticator had the fun idea to opt people into unencrypted (beyond whatever regular google drive files have) cloud backup of 2fa secrets, and it's been exploited in the ways you'd expect.
Android doesn't encrypt everything, and the details of what it does and doesn't encrypt are so fiddly that I don't feel confident enough to enable cloud backups.
Big fan of Bitwarden, albeit you are putting a single point of failure on all of your secure info.
I'd love to know what others do to maximise both convenience and security.
For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.
> albeit you are putting a single point of failure on all of your secure info.
Depends on what failure mode you're talking about.
If you mean "I won't be able to access things when their service is down", that's not entirely accurate, because the database is synced to clients, so you just can't connect a new client or add/update entries, but existing entries are accessible.
If you mean "everything will be compromised if their service is hacked", that's not quite accurate either, because the encryption key to the database isn't stored on their servers (things are only ever decrypted on the client).
If you mean "any compromise is all/nothing", this is kindof true, but can be mitigated by keeping separate vaults, so that your most sensitive items are not kept with the ones you need routinely.
Or maybe you're thinking of some other failure mode ...
Perhaps it's just an aversion to having all your eggs in one basket. I am experiencing that with Proton, atm, after having spent a year De-Googling my life and moving my mail, drive, calendar and VPN to their drop-in replacement for the same Google products. Lo and behold, the CEO has to go and share views I not only disagree with but also find dangerously aligned with people that are very much enemies of privacy and protection of PII.
The problem with buying into one entity for a bunch of these services is they eventually find a way to sour their mission or worse, bend the knee to those that seek to exploit us, leaving you with the increasingly arduous task of migrating to another competitive service.
In terms of a compromise being “all or nothing,” most secure accounts should have a password (which you can manage in BitWarden) AND a second factor (ideally not tied to your phone; ex: a YubiKey). That way even in the nightmare scenario that someone gets into your password manager there’s extra legwork they’d need to do to ruin you.
But if somebody compromised their internal infrastructure they could push out malicious updates to both the Authenticator and the clients of the password manager (most likely the browser extension), compromising both security factors at once
Doesn't appear to have any way of exporting 2FA tokens?
I _very narrowly_ dodged being locked in to authy by having tokens in there that couldn't be exported, and authy is a steaming pile of... Never again will I be foolish enough to not maintain ownership of the actual 2fa tokens my codes are generated from.
I personally switched to using 2FAS[0]. My favorite feature is that it comes with a browser extension that can automatically fill in the OTP on web forms, after approving the request on the phone app.
Not OP, but I escaped Authy over a year ago and I've been happy with 2FAS on Android. Aegis is also very good. Both have "backup to cloud-of-your-choosing" (like Google Drive) capabilities. Aegis is available on FDroid. IIRC I chose 2FAS for purely aesthetic reasons, but I could've easily gone with Aegis and been happy too.
Speaking of escaping Authy, good luck with that. I had to use their desktop app and api to pull my data. I read in another comment that they've recently closed that api. So, you might be stuck migrating each account manually. That bullshit alone is worth the trouble of moving.
Yep, exactly this. I, purely coincidentally, did this procedure of hacking up their desktop client to export my tokens 3 weeks before they turned off the API the desktop client uses. "by the skin of my teeth" as it were.
I just literally spent a week transferring all my authy keys to Bitwarden's somewhat hidden OTP generator feature. nice to see they finally made a standalone app. Now I'm gonna find out if both are integrated..... (I really hope so)
The “An Error Occurred” database corruptions last year convinced me I can’t trust bitwarden any more.
Any suggestions for something I can host at home? It needs mac, linux and ios clients and (unlike bitwarden) must gracefully handle the server being unavailable.
Vaultwarden [1] if you want to keep using the Bitwarden clients but with a different, self-hosted backend. You can also use KeePassXC and self-hosted file service to sync your database between devices [2]. KeePassXC has a merge feature in case one of your local databases diverges, so the server being unavailable is not an issue.
I’m using vaultwarden, and am happy with it. The official client is the problem.
Given the catastrophic outcomes associated with corruption of the DB, I can’t imagine trusting the keepassxc approach.
How can they possibly handle concurrent updates to the password database correctly across that range of cloud filesystem products? Each has different semantics. Does someone fuzz test the whole stack, at least? For which services?
I can only speak for my own setup: KeePassXC on multiple devices with a local NextCloud instance for syncing my database.
First and foremost, automate backing up your database. NextCloud also supports versioned files, so if something does go wrong, you can roll-back to a working DB as a last resort.
A good syncing application will not upload files that are currently opened in write mode. This way you cannot upload files mid-write, preventing uploading corrupted DBs. This of course assumes that both KeePassXC and NextCloud are perfect, but even if something breaks there you have your automated backups and previous versions of the database file. I should note that this has never happened to me, but if it were to happen I am safe.
In case you have diverging databases (e.g. server is offline and you add a new account on device 1 and a different account on device 2), NextCloud will create a conflict file which you can merge from the KeePassXC client to resolve the issue. No accounts are lost but it is an additional manual step to get all your changes back into the "main" DB.
That looks reasonable at first glance. Will have to look more carefully.
I do wonder about attack surface / operational complexity though. It syncs to three clouds and there is a postgres database, apparently.
Operating that myself reliably seems hard. I’m not looking for a hobby project and LastPass is the Last cloud hosted e2ee Password manager I will ever trust.
The built-in TOTP in Bitwarden password manager is only available to premium Bitwarden subscribers, requires you to have a Bitwarden account, and stores your TOTP codes in Bitwarden's servers.
This standalone app is available for free, can be used without an account, and the TOTP codes are only stored locally (or through your phone's native backup system).
Some people dislike the idea of storing TOTP codes in the same location as passwords, so it seems this helps provide those people with that separation, while still using Bitwarden products (which tbh is cool with me - a lot of the other TOTP apps on the appstores suck).
> The built-in TOTP in Bitwarden password manager is only available to premium Bitwarden subscribers, requires you to have a Bitwarden account, and stores your TOTP codes in Bitwarden's servers.
if you selfhost (eg with vaultwarden) you get all the pay features for free
Having TOTP tokens stored alongside passwords kind of defeats the purpose of two-factor-authentication. I think this alone justifies development of a separate app, but there must be other reasons as well.
Deffo a tradeoff. But then my bitwarden account is secured with a long phasephrase, and MFA (with offline recovery codes), with the TOTP in Google Authenticator.
Its a tradeoff, but on balance, i am happy to keep my TOTP for accounts secured by bitwarden inside bitwarden.
Bitwarden does come with an app for every major operating system. Or do you mean this authenticator app? It kind of goes against the idea to have this anywhere but your phone.
Does it? I thought the whole point was to require something that's not stored right next to the password in the database, making it more resilient to leaks/hacks/incorrect hashing and salting, etc. I don't think there's a single site where I have the option to "remember this device" to avoid needing to put in a 2FA code on every login where I haven't enabled it on my personal devices, and on a lot of them, I'm not even sure the cookies have ever expired. This seems like a case of https://xkcd.com/1200/, although I'll throw in my favorite personal example because of how absurd I find it: on the Domino's pizza Android app, it allows me to open it after months without using it and order food charged to my credit card without needing to reenter my password, but if I want to save something new as my "Easy Order" to avoid having to manually put everything into the cart and then hit "checkout", I have to put my password in again for that!
I've been lazily (in the "lazy evaluation" sense, not the work ethic sense) moving my 2FA from a mobile app into Bitwarden precisely because it's way more annoying to have to take my phone out and manually enter a code from there v when logging into things (especially since lately I've noticed that I seem to get errors when the code still has a few seconds left in the UI as being valid after I've already gotten the response from the server not accepting it; I asumed that this might be due to some issue with my phone itself, but the fact that it still happens with the codes being stored in Bitwarden and visible on the same screen where I'm logging into makes me wonder if this is some new intentional thing sites are doing intentionally without regard to how weird an experience this will be for some people).
As other comments on this page have explained, Bitwarden already offers that as part of their paid features. In that case the authenticator functionality is embedded into the main Bitwarden app and not in a separate authenticator app.
And you need to change that preference on every single device, it will not change your default. And they hide this option in a weird place away from all of the other Appearance options.
I'm not one to complain about UI changes but some of their recent decisions are baffling beyond belief.
> I realize you are probably using bitwarden directly, in which case don’t you trust them to safeguard your data?
Yes i use bitwarden directly, no self hosting. I do trust them keep my data safe (although i also trusted LastPass at some point, big mistake) but why not also keep a local copy, just in case. The type of data you store in bitwarden is worth the hassle and if Bitwarden Inc. ever gets into big trouble suddenly you'll be glad to have the backup.
Funny this pops up today, I’ve finished migrating form KeepassXC to a self hosted vaultwarden, the official bitwarden apps and briwser extension are super well made, so good so far with the switch.
[1]: "Anti"-FAQ, because I'd like to discourage people from wasting brain cycles on thinking that a time-based authenticator app is something worth announcing.
One option would be Vaultwarden server for your password storage (Bitwarden compatible) and 2FAS for auth (export once a week and save the backup to your own cloud)
Eventually some new product manager will be put into control at BitWarden and will screw everything up. If not, they’ll get acquired and be cost cut into catastrophe.
I could be wrong. If I am wrong, the downside is wasting time self hosting. If I am right, the downside of using their service is resetting 200 account passwords one at a time. Again.
Not everyone is. I’ll preferentially pay for a managed service that’s reasonably priced, but I still end up with a whole pile of self-hosted services because managed versions don’t really exist. (A bunch of alternative front-ends to various websites, an audiobook server, Plex, Homebridge, etc.)
You can pay customary $10 per year to bitwarden to support and still selfhost valultwarden. Some people want to have control and don't want to have to deal with VC money getting in the way (1password was a hard learnt lesson). Also vaultwarden seems lot cleaner and easier to install and manage than official bitwarden server. And you still rely on their clients.
So I’ve been a happy Bitwarden subscriber since about 2020. I originally picked it because it seemed like a good compromise between open source options like keepassxc and something less trustworthy like one password.
I haven’t really be paying much attention to Bitwarden lately, but I’ve heard they’ve taken vc/got bought out or something. So for those more in the know, is it time to start migrating? Or does Bitwarden still seem like it’s on a good path?
Why do you say 1Password isn’t trustworthy? We’ve been using 1P close to a decade and they’ve managed to not leak our passwords that whole time, unlike many other cloud password managers who have had breaches.
Sorry, I didn’t mean to specifically call out 1password. I should have said “closed source” not “untrustworthy”. Last time I looked at password managers Bitwarden and keepass were the only real oss solutions. And Bitwarden had better qualify of life features.
It supports:
- Local encrypted backups. You can sync these to where ever you like on your own terms. I automated uploading mine to my local NextCloud instance.
- Importing from other authenticator apps, so you can easily migrate.
- Exporting entries so that you are not vendor locked (cough cough Authy).
- Customization.
- No mandatory cloud bs, LLM integration, tracking, ...
[1] https://github.com/beemdevelopment/Aegis
Not only does it unnecessarily jar me out of my memorized places to click, but it also just takes 2 clicks to copy a password instead of 1. Seems like a small deal but it is genuinely a bad UI.
An alternative is Ente Auth: https://news.ycombinator.com/item?id=40883839
Edit: Since there seems to be some confusion, this submission is about Bitwarden Authenticator, a free mobile app for TOTP, not about the Bitwarden password manager, which does support syncing, and which in the paid Premium plan also includes an authenticator.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
[1] https://www.yubico.com/products/spare/
I've done another round of research into Authy and I see what you mean. I was aware that some people don't like Authy because they object in principle to multi-device sync altogether, which I understand but am not willing to live with; I also knew that Twilio had been hacked before. But I hadn't thought so much about the lock-in and the elevated risk for getting locked out if Twilio goes kaput.
So, features that I want in a TOTP app:
* Backup to cloud. If all my devices are lost/destroyed at the same time, I want recovery to be possible using information I store offsite.
* Backups not stored to my own iCloud or Google Drive, which are frequently accessed from my own devices.
* Export of codes possible from the installed app so that if the vendor goes away I can migrate.
* Not published by Bitwarden. I'm happy with Bitwarden, but I would prefer that the vendor I use for TOTP be distinct from my password manager vendor.
[1] https://github.com/beemdevelopment/Aegis
If I'm unlucky enough to have a house fire (which has happened in my extended family), I would like it if my MFA access was not among the items irretrievably lost.
This way the key survives a fire.
I still have Google Authenticator on my phone, but I hadn't been using it. I see that you now must choose between using it "with an account", in which case your codes are saved "to your account", or using it without an account. I just installed Google Authenticator onto my tablet, selected that I would "continue as [Google Account]), and voila, there are all my codes.
I presume that if you use it "without an account", the codes are not backed up, although I'm not going to test that now.
I am curious what backed up "to your account" means. I'm often logged into Google on my laptop — is it possible to access the TOTP codes from there? If my laptop is hacked it would be a disaster, and I at least want to reduce the blast radius so that accounts requiring MFA are out of reach to the hacker unless they also hack my phone or tablet.
I understand what you’re saying here, but then having a password manager and a 2FA app on the same phone is the exact same corruption.
If your threat model involves “don’t have your 2FA codes on your desktop”, it must also include “don’t have your passwords on your phone”.
0: https://bitwarden.com/products/authenticator/#:~:text=New%20... - "New features on the roadmap include import, syncing to Bitwarden accounts, push-based 2FA, and account recovery"
1: https://bitwarden.com/pricing/#:~:text=Integrated%20Authenti...
If you can just clone an OTP to as many devices as you want then I'd argue it's not really two-factor. The mechanism used to sync is the same one a malicious actor would use to clone all your OTP entries and gain access to your accounts.
Then your accounts are only as secure as your iCloud account, which I wouldn't count on, and you've undermined the purpose of 2FA entirely.
There's no way around this - 2FA needs to be bound to a single physical device if you want to benefit from it.
This is extreme. Uploading your 2FA to an encrypted cloud like iCloud widens your circle of trust. But it also increases convenience and utility.
I personally take the best of both worlds. A synced 2FA for most accounts. And a locked one for my critical ones, e.g. 1PW. If I couldn't sync any accounts I wouldn't bother turning on 2FA for most because the downside is low and, ultimately, probably someone else's problem to clean up.
Depends what the benefit is.
From the PoV of my bank, the benefit is that people who use “Password123!” for all of their accounts don’t get their accounts trivially compromised.
From my PoV, the benefit of TOTP 2FA is that my password manager can fill it all in automatically rather than having to find my phone and type in SMS numbers manually. (As a non-iOS user - if you’re on iOS you can have your SMS 2FA codes put in automatically.)
At least it's not defaulting to their own cloud service backend. This has always been my problem with these types of apps. Although, I'm not sure I fully understand the above description. I'm guessing if you have an iPhone with iCloud backup enabled, it means data is backed up to iCloud.
If they used their own cloud backend I would be a lot more interested. They could even offer to store it in their cloud end-to-end encrypted (making it my responsibility to keep the password safe). That would give me similar exposure as their password manager, which I'm already using.
When syncing is added it would actually be something to consider.
Google Authenticator had the fun idea to opt people into unencrypted (beyond whatever regular google drive files have) cloud backup of 2fa secrets, and it's been exploited in the ways you'd expect.
The regular complaints here about iMessage not having good E2EE is a specific exception written into the security policy.
Corrections welcome.
[1]: https://support.apple.com/guide/security/security-of-icloud-...
I think this is the better link. Advanced Data Protection is end to end encrypted, without the key being backed up to Apple’s servers.
I'd love to know what others do to maximise both convenience and security.
For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.
Depends on what failure mode you're talking about.
If you mean "I won't be able to access things when their service is down", that's not entirely accurate, because the database is synced to clients, so you just can't connect a new client or add/update entries, but existing entries are accessible.
If you mean "everything will be compromised if their service is hacked", that's not quite accurate either, because the encryption key to the database isn't stored on their servers (things are only ever decrypted on the client).
If you mean "any compromise is all/nothing", this is kindof true, but can be mitigated by keeping separate vaults, so that your most sensitive items are not kept with the ones you need routinely.
Or maybe you're thinking of some other failure mode ...
The problem with buying into one entity for a bunch of these services is they eventually find a way to sour their mission or worse, bend the knee to those that seek to exploit us, leaving you with the increasingly arduous task of migrating to another competitive service.
I _very narrowly_ dodged being locked in to authy by having tokens in there that couldn't be exported, and authy is a steaming pile of... Never again will I be foolish enough to not maintain ownership of the actual 2fa tokens my codes are generated from.
[0] https://2fas.com/
Speaking of escaping Authy, good luck with that. I had to use their desktop app and api to pull my data. I read in another comment that they've recently closed that api. So, you might be stuck migrating each account manually. That bullshit alone is worth the trouble of moving.
I also use 2FAS. It has token export.
Any suggestions for something I can host at home? It needs mac, linux and ios clients and (unlike bitwarden) must gracefully handle the server being unavailable.
[1] https://github.com/dani-garcia/vaultwarden
[2] https://keepassxc.org/docs/#faq-cloudsync
Given the catastrophic outcomes associated with corruption of the DB, I can’t imagine trusting the keepassxc approach.
How can they possibly handle concurrent updates to the password database correctly across that range of cloud filesystem products? Each has different semantics. Does someone fuzz test the whole stack, at least? For which services?
First and foremost, automate backing up your database. NextCloud also supports versioned files, so if something does go wrong, you can roll-back to a working DB as a last resort.
A good syncing application will not upload files that are currently opened in write mode. This way you cannot upload files mid-write, preventing uploading corrupted DBs. This of course assumes that both KeePassXC and NextCloud are perfect, but even if something breaks there you have your automated backups and previous versions of the database file. I should note that this has never happened to me, but if it were to happen I am safe.
In case you have diverging databases (e.g. server is offline and you add a new account on device 1 and a different account on device 2), NextCloud will create a conflict file which you can merge from the KeePassXC client to resolve the issue. No accounts are lost but it is an additional manual step to get all your changes back into the "main" DB.
I do wonder about attack surface / operational complexity though. It syncs to three clouds and there is a postgres database, apparently.
Operating that myself reliably seems hard. I’m not looking for a hobby project and LastPass is the Last cloud hosted e2ee Password manager I will ever trust.
I tend to use Aegis for the two services' TOTP codes that I don't put into BitWarden.
This standalone app is available for free, can be used without an account, and the TOTP codes are only stored locally (or through your phone's native backup system).
Some people dislike the idea of storing TOTP codes in the same location as passwords, so it seems this helps provide those people with that separation, while still using Bitwarden products (which tbh is cool with me - a lot of the other TOTP apps on the appstores suck).
And many organizations/companies have policy against that although I don't know how can anyone enforce that.
if you selfhost (eg with vaultwarden) you get all the pay features for free
I can't find any.
I've been lazily (in the "lazy evaluation" sense, not the work ethic sense) moving my 2FA from a mobile app into Bitwarden precisely because it's way more annoying to have to take my phone out and manually enter a code from there v when logging into things (especially since lately I've noticed that I seem to get errors when the code still has a few seconds left in the UI as being valid after I've already gotten the response from the server not accepting it; I asumed that this might be due to some issue with my phone itself, but the fact that it still happens with the codes being stored in Bitwarden and visible on the same screen where I'm logging into makes me wonder if this is some new intentional thing sites are doing intentionally without regard to how weird an experience this will be for some people).
I'm not one to complain about UI changes but some of their recent decisions are baffling beyond belief.
I find keypassxc which I use for managing passwords and now TOTP to be the best option for me.
I still use Authy on mobile but having an offline backup is great.
It has been a feature request for close to 6 years now: https://community.bitwarden.com/t/allow-attachments-to-be-ex...
Edit: I realize you are probably using bitwarden directly, in which case don’t you trust them to safeguard your data?
ps: if it’s just ssh keys, just store them as key value pairs? I haven’t kept ssh keys for a long time thanks to tailscale ssh…
Yes i use bitwarden directly, no self hosting. I do trust them keep my data safe (although i also trusted LastPass at some point, big mistake) but why not also keep a local copy, just in case. The type of data you store in bitwarden is worth the hassle and if Bitwarden Inc. ever gets into big trouble suddenly you'll be glad to have the backup.
yet I wouldn't use their 2fa app, just because if they get hacked at some point I don't want passwords and 2FA stored with the same company
doing great with authy in that front
Extremely happy with it.
---
### TOPT ANTI-FAQ
1. Want a guide to implementing time-based passwords in your app? Here you go: https://www.freecodecamp.org/news/how-time-based-one-time-pa...
2. What was that? You want to do it in Typescript? Okay, here you go: https://www.npmjs.com/search?q=totp
3. Want to do it in Python? Unfortunately, you only have 275 choices: https://pypi.org/search/?q=totp&o=-created
4. How about on an Arduino? https://github.com/lucadentella/TOTP-Arduino
5. Fuck it, we'll do it ~~live~~ in Emacs!https://www.masteringemacs.org/article/securely-generating-t...
Y'all get the point by now, I'm sure.
---
[0]: https://www.gadgetany.com/news/now-the-commodore-64-is-a-two...
[1]: "Anti"-FAQ, because I'd like to discourage people from wasting brain cycles on thinking that a time-based authenticator app is something worth announcing.
Eventually some new product manager will be put into control at BitWarden and will screw everything up. If not, they’ll get acquired and be cost cut into catastrophe.
I could be wrong. If I am wrong, the downside is wasting time self hosting. If I am right, the downside of using their service is resetting 200 account passwords one at a time. Again.
It's technically in public beta still, but I've been using it for a year and a half without any issues.
I haven’t really be paying much attention to Bitwarden lately, but I’ve heard they’ve taken vc/got bought out or something. So for those more in the know, is it time to start migrating? Or does Bitwarden still seem like it’s on a good path?