I have used Bitwarden for a few years happily, but have been really annoyed at the UI changes in the chrome extension
Not only does it unnecessarily jar me out of my memorized places to click, but it also just takes 2 clicks to copy a password instead of 1. Seems like a small deal but it is genuinely a bad UI.
If you go to Settings -> Appearance and enable show quick actions, you can reenable the 1 click copy password again. Enabling compact mode and disabling animations also helps a lot.
Yes, but then you have to click the little "Fill" button. And if you enable "Click items to enable autofill on Vault view", you have to Rightclick -> View to edit stuff.
If you enable Autofill > Copy TOTP Automatically, when you use that keybind it'll copy the TOTP to your clipboard so that you can paste it in when prompted for it
Yes. This. They change the look adding more clicks and moving things around offering NEGATIVE value. At least they fixed biometric desktop auth but without telling you that you had to remove the extension and clean up some stuff to get it to work.
I just noticed on my Edge browser, I have two different profiles (work and personal). on 1 profile, I have a one-click interface (fill, copy UN, copy Pwd, copy 2fa code. On the other profile, I have two click interface as you described.
So do this: go to setting (lower right coner) -> appearance -> set width to extra wide, check compact mode, check show quick actions.
I would just love if it appeared more than 60% of the time it's supposed to on Android.
I'm sick of the dance of switching apps a few times to try to 'wake up' Bitwarden when I'm staring at a login page in my browser with no Bitwarden prompt anywhere, closing and reopening the browser, manually opening Bitwarden, switching apps a few times, then giving up and manually copying and pasting my password.
I had this same issue for years on Android with Bitwarden. I’m not sure how the password manager related APIs work to make it appear on android, but since switching to iOS, it always presents me with a generic “passwords” option, which then gets me to Bitwarden. Sometimes it’ll flag the specific account, but not always - this seems to be like the android quirk. I’d much prefer if android has that generic “password” option at all times, even when it didn’t know Bitwarden had an account for this service.
I too am very annoyed by this, and it has been happening for as long as I can remember. KeePassDX [1] works around this by providing a custom keyboard you can use to fill in your passwords anywhere.
Yup the UI and "click amounts" is terrible, a step down from both native Chrome or Firefox password managers.
If you have a domain.tld and are on sub.domain.tld it also shows ALL the credentials on EVERY subdomain and the tld, and you have to crawls through them all.
The only good thing is that I was finally able to switch away from Chrome on mobile, but for a high bad usability price.
You can disable that but changing the domain matching algorithm (or whatever it's called, it's not difficult to find). By default it matches to domain.tld, but you can request the exact match.
Aegis is Android-only though. A cross-platform (Android/iOS/Linux/Mac/Windows), open-source (AGPLv3), self-hostable (Docker image) alternative (with migrations, E2EE backups/syncing, and JSON export as well) is Ente Auth: https://news.ycombinator.com/item?id=40883839
Edit: Since there seems to be some confusion, this submission is about Bitwarden Authenticator, a free mobile app for TOTP, not about the Bitwarden password manager, which does support syncing, and which in the paid Premium plan also includes an authenticator.
I've been using Authy for TOTP in conjunction with Bitwarden Premium for passwords.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
Just beware of the lock-in with Authy because they make it impossible to export your TOTP secrets for "security" reasons. There was a method to do it by running some code but they patched up those API endpoints recently.
I've done another round of research into Authy and I see what you mean. I was aware that some people don't like Authy because they object in principle to multi-device sync altogether, which I understand but am not willing to live with; I also knew that Twilio had been hacked before. But I hadn't thought so much about the lock-in and the elevated risk for getting locked out if Twilio goes kaput.
So, features that I want in a TOTP app:
* Backup to cloud. If all my devices are lost/destroyed at the same time, I want recovery to be possible using information I store offsite.
* Backups not stored to my own iCloud or Google Drive, which are frequently accessed from my own devices.
* Export of codes possible from the installed app so that if the vendor goes away I can migrate.
* Not published by Bitwarden. I'm happy with Bitwarden, but I would prefer that the vendor I use for TOTP be distinct from my password manager vendor.
I migrated off Authy due to this lock-in behaviour on to Bitwarden Authenticator, then realised that there's no sync. There is a backup and export though. might have to give Ente Auth a try next.
I have a second yubikey which I keep in a safe and every time I set up the primary yubikey on an account I also make sure to enroll the backup one too. I'm not likely to have mine stolen so I don't keep the spare offsite, it's more insurance in case I lose it. I also have an airtag attached to the primary key for the same reason.
I was hoping that by enrolling the first key, the offsite backup would also be enrolled. Is that impossible? I don't want two distinct keys so much as I want two copies of the same key (akin to spare house keys).
If I'm unlucky enough to have a house fire (which has happened in my extended family), I would like it if my MFA access was not among the items irretrievably lost.
I got two Yubikeys but ended up never using them. I've also considered keeping the second one in a safety deposit box, but realized that that would defeat the purpose since you also need a key to access the safety deposit box.
I still have Google Authenticator on my phone, but I hadn't been using it. I see that you now must choose between using it "with an account", in which case your codes are saved "to your account", or using it without an account. I just installed Google Authenticator onto my tablet, selected that I would "continue as [Google Account]), and voila, there are all my codes.
I presume that if you use it "without an account", the codes are not backed up, although I'm not going to test that now.
I am curious what backed up "to your account" means. I'm often logged into Google on my laptop — is it possible to access the TOTP codes from there? If my laptop is hacked it would be a disaster, and I at least want to reduce the blast radius so that accounts requiring MFA are out of reach to the hacker unless they also hack my phone or tablet.
2. There's a strong possibility that if my laptop gets compromised my Google account will be compromised simultaneously.
3. I try (often in vain) to limit my Google exposure because if I lose access to my Google account, it will be hard to get it back due of Google's limited support offerings.
Please use 1Password, it syncs between everywhere you want and supports TOTP. When I log into LinkedIn, it only takes one click and it autofills and autosubmits everything, including TOTP.
I use this, it works great for when you're on a laptop and can't be bothered to pull out your phone to enter the 2FA code (because it works cross-platform on web, desktop, and mobile, all syncing together). Yes, technically this is a corruption of the principles of why you'd need 2FA in the first place, as the second factor is obviated when everything is on one device, but I find the risk acceptable, no one is going to hack into my laptop at home, and if they do, I have bigger things to worry about than 2FA.
I'm not sure that syncing is a feature that should exist. Once an OTP shared secret has been added to a device, it should be unretrievable, ideally stored in a security enclave.
If you can just clone an OTP to as many devices as you want then I'd argue it's not really two-factor. The mechanism used to sync is the same one a malicious actor would use to clone all your OTP entries and gain access to your accounts.
That’s fair. Can I have it backup sync to iCloud so I’d lose my phone I can get a new one? I think that’s a usability vs. security risk we’re gonna have to be okay with. People aren’t going to be able to have multiple devices.
> your accounts are only as secure as your iCloud account, which I wouldn't count on, and you've undermined the purpose of 2FA entirely
This is extreme. Uploading your 2FA to an encrypted cloud like iCloud widens your circle of trust. But it also increases convenience and utility.
I personally take the best of both worlds. A synced 2FA for most accounts. And a locked one for my critical ones, e.g. 1PW. If I couldn't sync any accounts I wouldn't bother turning on 2FA for most because the downside is low and, ultimately, probably someone else's problem to clean up.
> There's no way around this - 2FA needs to be bound to a single physical device if you want to benefit from it.
Depends what the benefit is.
From the PoV of my bank, the benefit is that people who use “Password123!” for all of their accounts don’t get their accounts trivially compromised.
From my PoV, the benefit of TOTP 2FA is that my password manager can fill it all in automatically rather than having to find my phone and type in SMS numbers manually. (As a non-iOS user - if you’re on iOS you can have your SMS 2FA codes put in automatically.)
They would also need the password, not just OTP to gain access because it's really a two-factor, but also the risk of permanent loss if you lose a device is too extreme, so would still need some alternative restore mechanism, at which point an encrypted sync is a much better alternative
But it's called two-factor because it's supposed to be two independent factors to get into your account, so saying they would also need the password to get into the account makes no sense. The assumption that the password is known is baked into the principle of 2FA.
I also don't think it's true that you're locked out of your account permanently if you lose your OTP entry. Even the shittiest websites will have a reset mechanism. Also - backup codes?
Your device, as well as another device, and yet another - are all independent "something you have" factors from "the password you know".
And adding new device can be restricted via 2FA old device
And I've addressed the backup codes - that's the alternative mechanism that's no better than the sync. Also, backup codes are not 2FA, so if you're so strict about 2FA you don't even allow sync, then you can't have them, thus permanent loss
That's nice in theory, but leaves you with significant risk of getting completely locked out of your account should you lose the device containing the OTP secret.
> In this initial release, your data will be backed up through the mobile operating system's backup services. Please make sure your device is turned on and configured for backups. Bitwarden Authenticator data is included in the OS backups and will be restored with them.
At least it's not defaulting to their own cloud service backend. This has always been my problem with these types of apps. Although, I'm not sure I fully understand the above description. I'm guessing if you have an iPhone with iCloud backup enabled, it means data is backed up to iCloud.
On my Android, what's the upside of using this instead of Google Authenticator if they both back up to the same place?
If they used their own cloud backend I would be a lot more interested. They could even offer to store it in their cloud end-to-end encrypted (making it my responsibility to keep the password safe). That would give me similar exposure as their password manager, which I'm already using.
Kinda worrying that it doesn't mention anything about how that is secured.
Google Authenticator had the fun idea to opt people into unencrypted (beyond whatever regular google drive files have) cloud backup of 2fa secrets, and it's been exploited in the ways you'd expect.
Android doesn't encrypt everything, and the details of what it does and doesn't encrypt are so fiddly that I don't feel confident enough to enable cloud backups.
Big fan of Bitwarden, albeit you are putting a single point of failure on all of your secure info.
I'd love to know what others do to maximise both convenience and security.
For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.
> albeit you are putting a single point of failure on all of your secure info.
Depends on what failure mode you're talking about.
If you mean "I won't be able to access things when their service is down", that's not entirely accurate, because the database is synced to clients, so you just can't connect a new client or add/update entries, but existing entries are accessible.
If you mean "everything will be compromised if their service is hacked", that's not quite accurate either, because the encryption key to the database isn't stored on their servers (things are only ever decrypted on the client).
If you mean "any compromise is all/nothing", this is kindof true, but can be mitigated by keeping separate vaults, so that your most sensitive items are not kept with the ones you need routinely.
Or maybe you're thinking of some other failure mode ...
Perhaps it's just an aversion to having all your eggs in one basket. I am experiencing that with Proton, atm, after having spent a year De-Googling my life and moving my mail, drive, calendar and VPN to their drop-in replacement for the same Google products. Lo and behold, the CEO has to go and share views I not only disagree with but also find dangerously aligned with people that are very much enemies of privacy and protection of PII.
The problem with buying into one entity for a bunch of these services is they eventually find a way to sour their mission or worse, bend the knee to those that seek to exploit us, leaving you with the increasingly arduous task of migrating to another competitive service.
Luckily with Proton, it is incredibly easy to export everything and delete everything, unlike Google which makes it extremely difficult to delete things (notwithstanding the 2FA screen you get when deleting data from each service, which leads to "too many logins, wait 5 minutes" even if you login with the correct password/TOTP every time). I recommend downloading a "google takeout" to confirm all your data is actually gone.
One of the nice things about bitwarden in particular is that they make it easy to self host (and there's vaultwarden which is even easier). There are tradeoffs, but lockin risk is minimal
In terms of a compromise being “all or nothing,” most secure accounts should have a password (which you can manage in BitWarden) AND a second factor (ideally not tied to your phone; ex: a YubiKey). That way even in the nightmare scenario that someone gets into your password manager there’s extra legwork they’d need to do to ruin you.
>"I won't be able to access things when their service is down", that's not entirely accurate
That is entirely accurate. During their outage a few weeks ago (the first I've experienced in years of using it TBF), I wasn't able to get passwords from my browser extension, Android app, or Mac app. Maybe in theory it's not supposed to work that way, but in practice it got stuck when it couldn't reach the server and went back to the "Enter master password" page (IIRC).
But if somebody compromised their internal infrastructure they could push out malicious updates to both the Authenticator and the clients of the password manager (most likely the browser extension), compromising both security factors at once
Doesn't appear to have any way of exporting 2FA tokens?
I _very narrowly_ dodged being locked in to authy by having tokens in there that couldn't be exported, and authy is a steaming pile of... Never again will I be foolish enough to not maintain ownership of the actual 2fa tokens my codes are generated from.
I personally switched to using 2FAS[0]. My favorite feature is that it comes with a browser extension that can automatically fill in the OTP on web forms, after approving the request on the phone app.
Not OP, but I escaped Authy over a year ago and I've been happy with 2FAS on Android. Aegis is also very good. 2FAS has backup to Google Drive. Aegis does Android Cloud Backup. Aegis is available on FDroid. IIRC I chose 2FAS for purely aesthetic reasons, but I could've easily gone with Aegis and been happy too.
Speaking of escaping Authy, good luck with that. I had to use their desktop app and api to pull my data. I read in another comment that they've recently closed that api. So, you might be stuck migrating each account manually. That bullshit alone is worth the trouble of moving.
Yep, exactly this. I, purely coincidentally, did this procedure of hacking up their desktop client to export my tokens 3 weeks before they turned off the API the desktop client uses. "by the skin of my teeth" as it were.
The built-in TOTP in Bitwarden password manager is only available to premium Bitwarden subscribers, requires you to have a Bitwarden account, and stores your TOTP codes in Bitwarden's servers.
This standalone app is available for free, can be used without an account, and the TOTP codes are only stored locally (or through your phone's native backup system).
Some people dislike the idea of storing TOTP codes in the same location as passwords, so it seems this helps provide those people with that separation, while still using Bitwarden products (which tbh is cool with me - a lot of the other TOTP apps on the appstores suck).
> The built-in TOTP in Bitwarden password manager is only available to premium Bitwarden subscribers, requires you to have a Bitwarden account, and stores your TOTP codes in Bitwarden's servers.
if you selfhost (eg with vaultwarden) you get all the pay features for free
Having TOTP tokens stored alongside passwords kind of defeats the purpose of two-factor-authentication. I think this alone justifies development of a separate app, but there must be other reasons as well.
Deffo a tradeoff. But then my bitwarden account is secured with a long phasephrase, and MFA (with offline recovery codes), with the TOTP in Google Authenticator.
Its a tradeoff, but on balance, i am happy to keep my TOTP for accounts secured by bitwarden inside bitwarden.
Bitwarden does come with an app for every major operating system. Or do you mean this authenticator app? It kind of goes against the idea to have this anywhere but your phone.
If you store your second factor on the same device where you login, there's really no need for an app (or a second factor for that matter), because if your device is compromised, you're screwed anyway. You might as well store a list of one time auth passwords on a piece of paper that you keep near your PC. In fact that way someone would have to compromise you physically and digitally, which may be more difficult. If you keep the paper on your person at all times, it will actually be pretty secure. If you use some encryption scheme for the text on top of that, you're already pretty much there. But that's complex, so people came up with hardware keys that you always keep on your person and that are not used for anything else. They are kind of the ultimate thing to deploy on scale, but still a lot of hassle for users. The next best thing is using an app on your phone. It's considerably more dangerous, but still much better than storing everything on your computer.
Phones tend to have much better security models than normal computers. So having both on a phone is much less of a risk than both on a computer. But if you're offering people to weaken their own security by increasing convenience, you're breaking your own security model anyways. You might as well let people opt out of MFA altogether, but fewer and fewer companies tend to do that. Not because technical edge cases might pop up, but because most people are lazy and that is dangerous.
Does it? I thought the whole point was to require something that's not stored right next to the password in the database, making it more resilient to leaks/hacks/incorrect hashing and salting, etc. I don't think there's a single site where I have the option to "remember this device" to avoid needing to put in a 2FA code on every login where I haven't enabled it on my personal devices, and on a lot of them, I'm not even sure the cookies have ever expired. This seems like a case of https://xkcd.com/1200/, although I'll throw in my favorite personal example because of how absurd I find it: on the Domino's pizza Android app, it allows me to open it after months without using it and order food charged to my credit card without needing to reenter my password, but if I want to save something new as my "Easy Order" to avoid having to manually put everything into the cart and then hit "checkout", I have to put my password in again for that!
I've been lazily (in the "lazy evaluation" sense, not the work ethic sense) moving my 2FA from a mobile app into Bitwarden precisely because it's way more annoying to have to take my phone out and manually enter a code from there v when logging into things (especially since lately I've noticed that I seem to get errors when the code still has a few seconds left in the UI as being valid after I've already gotten the response from the server not accepting it; I asumed that this might be due to some issue with my phone itself, but the fact that it still happens with the codes being stored in Bitwarden and visible on the same screen where I'm logging into makes me wonder if this is some new intentional thing sites are doing intentionally without regard to how weird an experience this will be for some people).
As other comments on this page have explained, Bitwarden already offers that as part of their paid features. In that case the authenticator functionality is embedded into the main Bitwarden app and not in a separate authenticator app.
The main app's integrated TOTP functionality is nice for low impact services (e.g. I don't give a damn if my third Nintendo account gets overtaken). But there are more critical stuff I want an actual separate system, and this authenticator app would allow that. In particular it's free so creating a separate account would be fine.
The common sense of TOTP = your phone is to me problematic, and I feel it led to the situation we're in with Apple and Google...I have 3 computers I can use at any time, and will yell at the clouds every time I have to get my phone for some random stuff that can only happen in a mobile app.
Same way people are vehemently raging against kids having smartphones and ask for more kids protection online, while most 2FA services will default to a phone auth (TOTP or SMS, or dedicated app). And more than anything, I wish people could lose/crush/obliviate phones with less impact on their life if they want to, it doesn't need to be the key to one's digital life.
At some point Microsoft authenticator decided that 2fa from a smartwatch shouldn't work (that happened when they introduced the 2 digit number verification which could still work fine on a watch). I have yet to find a replacement for that feature. If anyone figure it out please let me know!
Don't use Authy, I agree with you that the Bitwarden UI is getting uglier, but at least they are trying to make it better (it will get worse before they learn lessons to improve), unlike Authy.
And you need to change that preference on every single device, it will not change your default. And they hide this option in a weird place away from all of the other Appearance options.
I'm not one to complain about UI changes but some of their recent decisions are baffling beyond belief.
I just literally spent a week transferring all my authy keys to Bitwarden's somewhat hidden OTP generator feature. nice to see they finally made a standalone app. Now I'm gonna find out if both are integrated..... (I really hope so)
> I realize you are probably using bitwarden directly, in which case don’t you trust them to safeguard your data?
Yes i use bitwarden directly, no self hosting. I do trust them keep my data safe (although i also trusted LastPass at some point, big mistake) but why not also keep a local copy, just in case. The type of data you store in bitwarden is worth the hassle and if Bitwarden Inc. ever gets into big trouble suddenly you'll be glad to have the backup.
Does this have lock in like Authy, where it’s not possible to export the codes? Does it not work on desktop since the page says iOS and Android? And isn’t it a bad idea to use both the password manager and Authenticator from the same company?
The “An Error Occurred” database corruptions last year convinced me I can’t trust bitwarden any more.
Any suggestions for something I can host at home? It needs mac, linux and ios clients and (unlike bitwarden) must gracefully handle the server being unavailable.
Vaultwarden [1] if you want to keep using the Bitwarden clients but with a different, self-hosted backend. You can also use KeePassXC and self-hosted file service to sync your database between devices [2]. KeePassXC has a merge feature in case one of your local databases diverges, so the server being unavailable is not an issue.
I’m using vaultwarden, and am happy with it. The official client is the problem.
Given the catastrophic outcomes associated with corruption of the DB, I can’t imagine trusting the keepassxc approach.
How can they possibly handle concurrent updates to the password database correctly across that range of cloud filesystem products? Each has different semantics. Does someone fuzz test the whole stack, at least? For which services?
I can only speak for my own setup: KeePassXC on multiple devices with a local NextCloud instance for syncing my database.
First and foremost, automate backing up your database. NextCloud also supports versioned files, so if something does go wrong, you can roll-back to a working DB as a last resort.
A good syncing application will not upload files that are currently opened in write mode. This way you cannot upload files mid-write, preventing uploading corrupted DBs. This of course assumes that both KeePassXC and NextCloud are perfect, but even if something breaks there you have your automated backups and previous versions of the database file. I should note that this has never happened to me, but if it were to happen I am safe.
In case you have diverging databases (e.g. server is offline and you add a new account on device 1 and a different account on device 2), NextCloud will create a conflict file which you can merge from the KeePassXC client to resolve the issue. No accounts are lost but it is an additional manual step to get all your changes back into the "main" DB.
That looks reasonable at first glance. Will have to look more carefully.
I do wonder about attack surface / operational complexity though. It syncs to three clouds and there is a postgres database, apparently.
Operating that myself reliably seems hard. I’m not looking for a hobby project and LastPass is the Last cloud hosted e2ee Password manager I will ever trust.
TOTP is bad. TOTP is phishable. Stop using or promoting TOTP.
We have modern authentication called WebAuthn, supported by Bitwarden proper as well as physical security keys and iOS’s native password manager. Use it.
I agree that webauthn is a better choice than TOTP, but it is not really a choice in most services today. Sites having WORKING webauthn are so rare that I literally mentioned it on my work Slack 2 days ago when I set one up at Target and it worked.
Funny this pops up today, I’ve finished migrating form KeepassXC to a self hosted vaultwarden, the official bitwarden apps and briwser extension are super well made, so good so far with the switch.
One option would be Vaultwarden server for your password storage (Bitwarden compatible) and 2FAS for auth (export once a week and save the backup to your own cloud)
You can pay customary $10 per year to bitwarden to support and still selfhost valultwarden. Some people want to have control and don't want to have to deal with VC money getting in the way (1password was a hard learnt lesson). Also vaultwarden seems lot cleaner and easier to install and manage than official bitwarden server. And you still rely on their clients.
Eventually some new product manager will be put into control at BitWarden and will screw everything up. If not, they’ll get acquired and be cost cut into catastrophe.
I could be wrong. If I am wrong, the downside is wasting time self hosting. If I am right, the downside of using their service is resetting 200 account passwords one at a time. Again.
Not everyone is. I’ll preferentially pay for a managed service that’s reasonably priced, but I still end up with a whole pile of self-hosted services because managed versions don’t really exist. (A bunch of alternative front-ends to various websites, an audiobook server, Plex, Homebridge, etc.)
[1]: "Anti"-FAQ, because I'd like to discourage people from wasting brain cycles on thinking that a time-based authenticator app is something worth announcing.
So I’ve been a happy Bitwarden subscriber since about 2020. I originally picked it because it seemed like a good compromise between open source options like keepassxc and something less trustworthy like one password.
I haven’t really be paying much attention to Bitwarden lately, but I’ve heard they’ve taken vc/got bought out or something. So for those more in the know, is it time to start migrating? Or does Bitwarden still seem like it’s on a good path?
Why do you say 1Password isn’t trustworthy? We’ve been using 1P close to a decade and they’ve managed to not leak our passwords that whole time, unlike many other cloud password managers who have had breaches.
Sorry, I didn’t mean to specifically call out 1password. I should have said “closed source” not “untrustworthy”. Last time I looked at password managers Bitwarden and keepass were the only real oss solutions. And Bitwarden had better qualify of life features.
Not only does it unnecessarily jar me out of my memorized places to click, but it also just takes 2 clicks to copy a password instead of 1. Seems like a small deal but it is genuinely a bad UI.
Before it was two clicks to edit. Plus it would lose context if the popup was closed.
So do this: go to setting (lower right coner) -> appearance -> set width to extra wide, check compact mode, check show quick actions.
that should do it.
I'm sick of the dance of switching apps a few times to try to 'wake up' Bitwarden when I'm staring at a login page in my browser with no Bitwarden prompt anywhere, closing and reopening the browser, manually opening Bitwarden, switching apps a few times, then giving up and manually copying and pasting my password.
[1] https://github.com/Kunzisoft/KeePassDX
The only good thing is that I was finally able to switch away from Chrome on mobile, but for a high bad usability price.
It supports:
- Local encrypted backups. You can sync these to where ever you like on your own terms. I automated uploading mine to my local NextCloud instance.
- Importing from other authenticator apps, so you can easily migrate.
- Exporting entries so that you are not vendor locked (cough cough Authy).
- Customization.
- No mandatory cloud bs, LLM integration, tracking, ...
[1] https://github.com/beemdevelopment/Aegis
An alternative is Ente Auth: https://news.ycombinator.com/item?id=40883839
Edit: Since there seems to be some confusion, this submission is about Bitwarden Authenticator, a free mobile app for TOTP, not about the Bitwarden password manager, which does support syncing, and which in the paid Premium plan also includes an authenticator.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
[1] https://www.yubico.com/products/spare/
I've done another round of research into Authy and I see what you mean. I was aware that some people don't like Authy because they object in principle to multi-device sync altogether, which I understand but am not willing to live with; I also knew that Twilio had been hacked before. But I hadn't thought so much about the lock-in and the elevated risk for getting locked out if Twilio goes kaput.
So, features that I want in a TOTP app:
* Backup to cloud. If all my devices are lost/destroyed at the same time, I want recovery to be possible using information I store offsite.
* Backups not stored to my own iCloud or Google Drive, which are frequently accessed from my own devices.
* Export of codes possible from the installed app so that if the vendor goes away I can migrate.
* Not published by Bitwarden. I'm happy with Bitwarden, but I would prefer that the vendor I use for TOTP be distinct from my password manager vendor.
[1] https://github.com/beemdevelopment/Aegis
If I'm unlucky enough to have a house fire (which has happened in my extended family), I would like it if my MFA access was not among the items irretrievably lost.
This way the key survives a fire.
I still have Google Authenticator on my phone, but I hadn't been using it. I see that you now must choose between using it "with an account", in which case your codes are saved "to your account", or using it without an account. I just installed Google Authenticator onto my tablet, selected that I would "continue as [Google Account]), and voila, there are all my codes.
I presume that if you use it "without an account", the codes are not backed up, although I'm not going to test that now.
I am curious what backed up "to your account" means. I'm often logged into Google on my laptop — is it possible to access the TOTP codes from there? If my laptop is hacked it would be a disaster, and I at least want to reduce the blast radius so that accounts requiring MFA are out of reach to the hacker unless they also hack my phone or tablet.
Issues for me with Google Authenticator:
1. The cloud backups are not encrypted: https://www.reddit.com/r/cybersecurity_help/comments/1fysqij...
2. There's a strong possibility that if my laptop gets compromised my Google account will be compromised simultaneously.
3. I try (often in vain) to limit my Google exposure because if I lose access to my Google account, it will be hard to get it back due of Google's limited support offerings.
0: https://bitwarden.com/products/authenticator/#:~:text=New%20... - "New features on the roadmap include import, syncing to Bitwarden accounts, push-based 2FA, and account recovery"
1: https://bitwarden.com/pricing/#:~:text=Integrated%20Authenti...
I understand what you’re saying here, but then having a password manager and a 2FA app on the same phone is the exact same corruption.
If your threat model involves “don’t have your 2FA codes on your desktop”, it must also include “don’t have your passwords on your phone”.
If you can just clone an OTP to as many devices as you want then I'd argue it's not really two-factor. The mechanism used to sync is the same one a malicious actor would use to clone all your OTP entries and gain access to your accounts.
Then your accounts are only as secure as your iCloud account, which I wouldn't count on, and you've undermined the purpose of 2FA entirely.
There's no way around this - 2FA needs to be bound to a single physical device if you want to benefit from it.
This is extreme. Uploading your 2FA to an encrypted cloud like iCloud widens your circle of trust. But it also increases convenience and utility.
I personally take the best of both worlds. A synced 2FA for most accounts. And a locked one for my critical ones, e.g. 1PW. If I couldn't sync any accounts I wouldn't bother turning on 2FA for most because the downside is low and, ultimately, probably someone else's problem to clean up.
Depends what the benefit is.
From the PoV of my bank, the benefit is that people who use “Password123!” for all of their accounts don’t get their accounts trivially compromised.
From my PoV, the benefit of TOTP 2FA is that my password manager can fill it all in automatically rather than having to find my phone and type in SMS numbers manually. (As a non-iOS user - if you’re on iOS you can have your SMS 2FA codes put in automatically.)
I also don't think it's true that you're locked out of your account permanently if you lose your OTP entry. Even the shittiest websites will have a reset mechanism. Also - backup codes?
And I've addressed the backup codes - that's the alternative mechanism that's no better than the sync. Also, backup codes are not 2FA, so if you're so strict about 2FA you don't even allow sync, then you can't have them, thus permanent loss
At least it's not defaulting to their own cloud service backend. This has always been my problem with these types of apps. Although, I'm not sure I fully understand the above description. I'm guessing if you have an iPhone with iCloud backup enabled, it means data is backed up to iCloud.
When syncing is added it would actually be something to consider.
In that case, what would be the advantage over just using Bitwarden's native TOTP support?
If they used their own cloud backend I would be a lot more interested. They could even offer to store it in their cloud end-to-end encrypted (making it my responsibility to keep the password safe). That would give me similar exposure as their password manager, which I'm already using.
Google Authenticator had the fun idea to opt people into unencrypted (beyond whatever regular google drive files have) cloud backup of 2fa secrets, and it's been exploited in the ways you'd expect.
The regular complaints here about iMessage not having good E2EE is a specific exception written into the security policy.
Corrections welcome.
[1]: https://support.apple.com/guide/security/security-of-icloud-...
I think this is the better link. Advanced Data Protection is end to end encrypted, without the key being backed up to Apple’s servers.
I'd love to know what others do to maximise both convenience and security.
For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.
Depends on what failure mode you're talking about.
If you mean "I won't be able to access things when their service is down", that's not entirely accurate, because the database is synced to clients, so you just can't connect a new client or add/update entries, but existing entries are accessible.
If you mean "everything will be compromised if their service is hacked", that's not quite accurate either, because the encryption key to the database isn't stored on their servers (things are only ever decrypted on the client).
If you mean "any compromise is all/nothing", this is kindof true, but can be mitigated by keeping separate vaults, so that your most sensitive items are not kept with the ones you need routinely.
Or maybe you're thinking of some other failure mode ...
The problem with buying into one entity for a bunch of these services is they eventually find a way to sour their mission or worse, bend the knee to those that seek to exploit us, leaving you with the increasingly arduous task of migrating to another competitive service.
That is entirely accurate. During their outage a few weeks ago (the first I've experienced in years of using it TBF), I wasn't able to get passwords from my browser extension, Android app, or Mac app. Maybe in theory it's not supposed to work that way, but in practice it got stuck when it couldn't reach the server and went back to the "Enter master password" page (IIRC).
This is easy to test. Just disable your wifi and try it out
I _very narrowly_ dodged being locked in to authy by having tokens in there that couldn't be exported, and authy is a steaming pile of... Never again will I be foolish enough to not maintain ownership of the actual 2fa tokens my codes are generated from.
[0] https://2fas.com/
There was a cli tool to export authy codes, but there was a comment here that the APIs it used no longer works
Speaking of escaping Authy, good luck with that. I had to use their desktop app and api to pull my data. I read in another comment that they've recently closed that api. So, you might be stuck migrating each account manually. That bullshit alone is worth the trouble of moving.
I also use 2FAS. It has token export.
I tend to use Aegis for the two services' TOTP codes that I don't put into BitWarden.
This standalone app is available for free, can be used without an account, and the TOTP codes are only stored locally (or through your phone's native backup system).
Some people dislike the idea of storing TOTP codes in the same location as passwords, so it seems this helps provide those people with that separation, while still using Bitwarden products (which tbh is cool with me - a lot of the other TOTP apps on the appstores suck).
And many organizations/companies have policy against that although I don't know how can anyone enforce that.
if you selfhost (eg with vaultwarden) you get all the pay features for free
I can't find any.
I've been lazily (in the "lazy evaluation" sense, not the work ethic sense) moving my 2FA from a mobile app into Bitwarden precisely because it's way more annoying to have to take my phone out and manually enter a code from there v when logging into things (especially since lately I've noticed that I seem to get errors when the code still has a few seconds left in the UI as being valid after I've already gotten the response from the server not accepting it; I asumed that this might be due to some issue with my phone itself, but the fact that it still happens with the codes being stored in Bitwarden and visible on the same screen where I'm logging into makes me wonder if this is some new intentional thing sites are doing intentionally without regard to how weird an experience this will be for some people).
The main app's integrated TOTP functionality is nice for low impact services (e.g. I don't give a damn if my third Nintendo account gets overtaken). But there are more critical stuff I want an actual separate system, and this authenticator app would allow that. In particular it's free so creating a separate account would be fine.
The common sense of TOTP = your phone is to me problematic, and I feel it led to the situation we're in with Apple and Google...I have 3 computers I can use at any time, and will yell at the clouds every time I have to get my phone for some random stuff that can only happen in a mobile app.
Same way people are vehemently raging against kids having smartphones and ask for more kids protection online, while most 2FA services will default to a phone auth (TOTP or SMS, or dedicated app). And more than anything, I wish people could lose/crush/obliviate phones with less impact on their life if they want to, it doesn't need to be the key to one's digital life.
I'm not one to complain about UI changes but some of their recent decisions are baffling beyond belief.
It has been a feature request for close to 6 years now: https://community.bitwarden.com/t/allow-attachments-to-be-ex...
Edit: I realize you are probably using bitwarden directly, in which case don’t you trust them to safeguard your data?
ps: if it’s just ssh keys, just store them as key value pairs? I haven’t kept ssh keys for a long time thanks to tailscale ssh…
Yes i use bitwarden directly, no self hosting. I do trust them keep my data safe (although i also trusted LastPass at some point, big mistake) but why not also keep a local copy, just in case. The type of data you store in bitwarden is worth the hassle and if Bitwarden Inc. ever gets into big trouble suddenly you'll be glad to have the backup.
yet I wouldn't use their 2fa app, just because if they get hacked at some point I don't want passwords and 2FA stored with the same company
doing great with authy in that front
Any suggestions for something I can host at home? It needs mac, linux and ios clients and (unlike bitwarden) must gracefully handle the server being unavailable.
[1] https://github.com/dani-garcia/vaultwarden
[2] https://keepassxc.org/docs/#faq-cloudsync
Given the catastrophic outcomes associated with corruption of the DB, I can’t imagine trusting the keepassxc approach.
How can they possibly handle concurrent updates to the password database correctly across that range of cloud filesystem products? Each has different semantics. Does someone fuzz test the whole stack, at least? For which services?
First and foremost, automate backing up your database. NextCloud also supports versioned files, so if something does go wrong, you can roll-back to a working DB as a last resort.
A good syncing application will not upload files that are currently opened in write mode. This way you cannot upload files mid-write, preventing uploading corrupted DBs. This of course assumes that both KeePassXC and NextCloud are perfect, but even if something breaks there you have your automated backups and previous versions of the database file. I should note that this has never happened to me, but if it were to happen I am safe.
In case you have diverging databases (e.g. server is offline and you add a new account on device 1 and a different account on device 2), NextCloud will create a conflict file which you can merge from the KeePassXC client to resolve the issue. No accounts are lost but it is an additional manual step to get all your changes back into the "main" DB.
I do wonder about attack surface / operational complexity though. It syncs to three clouds and there is a postgres database, apparently.
Operating that myself reliably seems hard. I’m not looking for a hobby project and LastPass is the Last cloud hosted e2ee Password manager I will ever trust.
I find keypassxc which I use for managing passwords and now TOTP to be the best option for me.
I still use Authy on mobile but having an offline backup is great.
We have modern authentication called WebAuthn, supported by Bitwarden proper as well as physical security keys and iOS’s native password manager. Use it.
WebAuthN is of course better, but it's still a minority that supports it.
I use the app on both PC (chromium extension) and phone, and I'm happy about it.
Extremely happy with it.
It's technically in public beta still, but I've been using it for a year and a half without any issues.
Eventually some new product manager will be put into control at BitWarden and will screw everything up. If not, they’ll get acquired and be cost cut into catastrophe.
I could be wrong. If I am wrong, the downside is wasting time self hosting. If I am right, the downside of using their service is resetting 200 account passwords one at a time. Again.
---
### TOPT ANTI-FAQ
1. Want a guide to implementing time-based passwords in your app? Here you go: https://www.freecodecamp.org/news/how-time-based-one-time-pa...
2. What was that? You want to do it in Typescript? Okay, here you go: https://www.npmjs.com/search?q=totp
3. Want to do it in Python? Unfortunately, you only have 275 choices: https://pypi.org/search/?q=totp&o=-created
4. How about on an Arduino? https://github.com/lucadentella/TOTP-Arduino
5. Fuck it, we'll do it ~~live~~ in Emacs!https://www.masteringemacs.org/article/securely-generating-t...
Y'all get the point by now, I'm sure.
---
[0]: https://www.gadgetany.com/news/now-the-commodore-64-is-a-two...
[1]: "Anti"-FAQ, because I'd like to discourage people from wasting brain cycles on thinking that a time-based authenticator app is something worth announcing.
Zero trust, and that it slides auth horizontally to other untrusted flows...
Like literally walk an LLM through my data path?
I haven’t really be paying much attention to Bitwarden lately, but I’ve heard they’ve taken vc/got bought out or something. So for those more in the know, is it time to start migrating? Or does Bitwarden still seem like it’s on a good path?