Bitwarden Authenticator is a standalone app that is available for everyone, even non-Bitwarden customers.
In its current release, Bitwarden Authenticator generates time-based one-time passwords (TOTP) for users who want to add an extra layer of 2FA security to their logins.
There is a comprehensive roadmap planned with additional functionality.
Available for iOS and Android
To those that are confused about this:
Bitwarden does indeed handle TOTP directly in the password manager, but only on paid accounts and only logged in.
This is a completely offline app, separate from your existing Bitwarden account, that is entirely free.
It might serve as an alternative to e.g Aegis to some.
At this moment Aegis is far superior to bitwarden auth. But it looks promising.
I really like the ability to “sideload” the icons for the codes and automatic encrypted backups to cloud storages.Not switchin’ from Aegis. No sir’ee.
I use the TOPT features and i dont have a paid account
Do you self-host? I think that’s another way to get the TOTP features w/o a paid account.
Probably but i am not
It might serve as an alternative to e.g Aegis to some.
Does it have any killer features in favor of using the free app of an for-profit company instead of an established FOSS app?
Bitwarden apps have been open source since the beginning, mobile + backend + web
I haven’t been entirely happy with Bitwarden for other reasons. You can’t self host and share with one other person without paying them $40/year. Their advertising is deceptive, because they say you can do both for free. But that one or the other, not both.
You also can’t easily share individual passkeys outside of the app. If you want to grab a passkey, you have to export your entire vault.*
It’s basically annoyance-ware.
* note that sharing passkeys is not best practice, but there are use cases.
I don’t think I realized that was a limitation because I’ve been using the Vaultwarden fork. https://github.com/dani-garcia/vaultwarden
Have you heard if VaultWarden?
As others have said vaultwarden is the solution here. It is free, you can manage multiple vaults, totp is free. All the platform bit warden apps & plugins work with it. Supposedly it is leaner and easier to set up. Don’t know for sure because it is all I have used.
For shared passwords, I have a family vault where I put my streaming pws and such and everyone has access without having to share my personal vault.
Yeah, VaultWarden sounds like the answer.
with full Internet access (As shown in Aurora Store)
Thanks but I pass, I’d rather use Aegis that doesn’t need internet connection at all.
How does 2FA work without an internet connection?
deleted by creator
Thank goodness! I can finally get the hell away from Authy!
You could have before. I moved from Authy to Aegis a few months ago
Correct me if I am wrong, but the Bitwarden client itself already does this. I store several of my TOTP’s in my self hosted Vaultwarden/Bitwarden install.
And where would you store your Bitwarden login TOTP if you used their service instead of self hosting?
And what happens if your Bitwarden account gets compromised? Now you’ve lost both factors at the same time.
No, I’ll keep my 2FA separate from my password manager, thank you very much.
Good luck getting your vault compromised.
Unless you have a weak password or the vault isn’t encrypted (which it is, AES256 iirc and you might be able to change that on a self hosted version), I don’t see that happening.
Most password manager hacks don’t attack the encryption or password themselves (my password is very long), they find/create a side channel. For example:
- keylogger attack to grab password manager password
- social engineering to reset a password
- attack the server to intercept passwords
Every secure system can be defeated, but it’s a lot less likely that two secure systems will be defeated at the same time. So I keep my passwords and second factors separate. It’s unlikely that either will be compromised, and incredibly unlikely that both will be compromised at the same time.
You’re right, it does. This is a head-scratcher.
I guess they already had the TOTP code written, so creating a standalone app was trivial, but what’s the point?
Security-wise it’s not a good idea to keep passwords and 2FA codes in the same client as it then becomes a single point of failure. A standalone authenticator app resolves that as long as it’s not unlocked with the same master password. A standalone app also opens a venue for non-BW customers to get on their platform.
It’s not a good idea to keep both on the same device, but i wouldn’t use it at all if it was a struggle
Would it count if the application is the same but all the TOTP is handled by a different database with a different passphrase?
Depends on how they got broken
TOTP in the Bitwarden Vault is a paid feature. The standalone app is free, and doesn’t even require a Bitwarden account.
This allows free tier users a way to use TOTP without upgrading, and without needing to trust Google Authenticator or something else.
TOTP code is like 5 lines. The hardest part is writing the seed to disk.
thd totp in the default application is paid and that isn’t
Because you can enable totp on your Bitwarden account and it would be dumb to store the password and totp for your biwarden vault in your vault?
Also it can act as a stepping stone for non Bitwarden customers, before getting their own vault.
Glad these were answered:
Isn’t this the same as storing TOTP authentication codes in Bitwarden Password Manager?
Integrated TOTP authentication is a premium feature in Bitwarden Password Manager. Bitwarden Authenticator is a standalone mobile app that generates TOTP codes for any online service that supports them. Bitwarden Authenticator can be used without a Bitwarden account.
Should I use both? When should I use the integrated authentication feature? When should I use Bitwarden Authenticator?
Integrated authentication in Bitwarden Password Manager offers a convenient way for users to add 2FA to their online accounts. This popular feature will remain available across paid plans.
Bitwarden Authenticator can be used to store your verification codes to access your Bitwarden account, as well as other online applications you use.
They can be used together, or separately, depending on your security preferences.
Great. Now I have to make the effort of migrating from Authy.
Does this save to my cloud account with them or is it only local? I got screwed over by Aegis (my fault) when I got a new phone and forgot to back up Aegis and lost a lot of my logins. Some of them I can’t get unless I call the company and verify it’s me 🤦🏽♂️
Do backups kids. :)
I actually keep an authenticator app on my desktop, so I always have two places for everything. Aegis on my phone and “Authenticator” on my Linux desktop.
Wait, I’m a second child, am I a backup kid?
Then how do you secure the backup without 2FA?
Or is it 2FA all the way down?
You could store it on an external drive. You can encrypt it with VeraCrypt as well.
Aegis encrypts it with a password, then you copy it somewhere. It’s just a set of keys and you can have as many copies as you want (I have three, one phone and two desktops).
Aegis doesn’t run on your desktop using the same key, it’s just a key stored there, right?
No, I use a different authenticator app (called Authenticator in the Flatpak store), but it does use the same keys. So I import the keys from an Aegis dump so I can generate exactly the same keys on my desktop app that I do on my phone.
TOTP is a really simple system, as long as I have access to the secret key and a reliable time source, I can generate the exact same tokens as any TOTP app would.
How do I do the backup for Aegis? I looked at it and it’s set up but then at the bottom it says no backups have been made 🤔
Settings > Import/Export > Export
This dumps it to a file, then it’s on you to copy it somewhere else.
Or
Settings > Backups
I think this one is automated, but I personally don’t use it, I just back it up manually when I add something new. I keep a completely functional 2FA app on my desktop, so I always have a backup in a pinch.
Thanks!
I backup everything, but Aegis
Aegis does automatic backups. I guess you didn’t turn it on?
Guess I didn’t. I hate me even more now
The penguin is dead 😂
😂 I guess it is. Damit
I spelled your username wrong. I thought the q was a g. 😂
I don’t care. It’s meant to be a penguin with a q.
Yubikey and yubico authenticator is king. Just need multiple keys. Stick it in a PC or tap it on your phones nfc… bam totp code pulls up.
After Authy scrapped its support for the desktop client, I’m looking for an alternative. Sadly, this does not look like it.
Ente.io is working on a desktop app. Whilst its experimental, you can get it from the releases page on their github
Sadly, this does not look like it.
Why?
I do not see a desktop client.
Ah. I only use a phone app, but I see the problem.
I use Authenticator on Linux. I’m not sure what OS you use, but perhaps there’s another, TOTP is a pretty easy protocol to implement (it’s basically just a hash of a key and timestamp).
I would like an app for desktop and phone/tablet that are syncing, just like Authy did, before they abandoned the desktop app.
So, for me that means: iOS/iPadOS and macOS
I’m in the same boat. I’m a paid Bitwarden user but I’d like to keep 2fa and passwords separated.
If no alternative soon, i’ll just bite the bullet and put everything in bitwarden (except itself, ofc)
Just like in the password manager, they ignored HOTP. Oh well.
Could you tell me more ?
HOTP is an HMAC-based OTP, whereas TOTP is a time-based OTP. Basically, this is how each works:
- HOTP - based on a key + a counter, which increments with each code generated
- TOTP - based on a key + time, so you get a new key every N seconds
TOTP is quite common and honestly is all I use, whereas HOTP may be more common in certain enterprises. Main criticisms:
- HOTP - longer time window for a key to be valid for the entire time between logins (i.e. potentially easier to brute force)
- TOTP - less user-friendly due to the time window; also, you just need a clock, you don’t need to know the counter value (if someone gets the key, they can generate keys whenever)
Gotcha, thank you very much.
Nice! I currently have a couple of services on MS Authenticator that I can migrate over.
What makes you switch to this one rather than staying on MS?
Edit: oh no I asked a question that is obvious to others
MS not trustworthy
Microsoft’s Authenticator app is AWFUL. Just one example - there is a setting to backup to iCloud, but when you try to enable it, it demands you add a secondary (personal) Microsoft account.
I didn’t know it sucked on the iPhone, I haven’t had problems on Android, I actually quite like it. I would only change to get away from Microsoft
Good. They make great stuff.
Nice. But as a BitWarden user, it’s useless to me. I’ve never put all my eggs in one account basket.
Passwords on one service, MFA on another, email on yet another, etc.
KeePassXC can do this as well. I had no idea until I saw a post on here where someone mentioned it. Here’s the documentation.
Any reason to switch from Aegis?
Not yet.
No icons, no ability to save notes, a URL or back it up in an encrypted json.
I will definitely keep an eye on it though.Thats what i want to know, i use Authy, and want to know if its worth switching for.
deleted by creator
Honestly, TOTP is so simple it would take a lot to switch from Aegis, and most of that would be from Aegis screwing up.
Is there anything about Aegis that makes it better than Authy? Just looking at the page for Aegis, I’m not seeing a lot of difference. And it being Android only limits it.
It’s open source. Authy isn’t.
Ah, gotcha. Makes sense.
I’m not putting my totp with my password, same as I’m not putting my password with my email (proton)
It’s a separate app with no sync to Bitwarden accounts.
Still, I bet they share a lot of the same backend and personell.
personell doesmt matter as it’s zero knowledge?
Exactly, from a security perspective, it’s a bad idea to put 2 factor tokens together with your passwords. You effectively eliminate the security benefit that 2 factor provides if you do because if people get into your password manager, they have everything they need to access your accounts. The only people it “helps” having it all in one app are people who don’t understand the purpose of 2 factor and just see it as an inconvenience when services force it on them. Even though I use BitWarden for passwords, I don’t think that I’ll be changing from Aegis to BitWarden’s stand-alone authenticator because Aegis is doing its job nicely.
That’s also part of why I’m against the new passkeys. I think passkeys could replace either passwords or tokens, but not both.
It really depends on your threat model. It’s not a one size fits all thing.
For instance in some threat models you shouldn’t have TOTP auth and passwords on the same device, let alone the same app, but the vast majority of people are not going to carry two devices because of how inconvenient it is.
And seemingly reading beyond the headline is also not your thing.
This is a separate app unconnected to your bitwarden account…
