Bitwarden Authenticator is a standalone app that is available for everyone, even non-Bitwarden customers.
In its current release, Bitwarden Authenticator generates time-based one-time passwords (TOTP) for users who want to add an extra layer of 2FA security to their logins.
There is a comprehensive roadmap planned with additional functionality.
Available for iOS and Android
Thank goodness! I can finally get the hell away from Authy!
You could have before. I moved from Authy to Aegis a few months ago
Correct me if I am wrong, but the Bitwarden client itself already does this. I store several of my TOTP’s in my self hosted Vaultwarden/Bitwarden install.
And where would you store your Bitwarden login TOTP if you used their service instead of self hosting?
And what happens if your Bitwarden account gets compromised? Now you’ve lost both factors at the same time.
No, I’ll keep my 2FA separate from my password manager, thank you very much.
You’re right, it does. This is a head-scratcher.
I guess they already had the TOTP code written, so creating a standalone app was trivial, but what’s the point?
TOTP in the Bitwarden Vault is a paid feature. The standalone app is free, and doesn’t even require a Bitwarden account.
This allows free tier users a way to use TOTP without upgrading, and without needing to trust Google Authenticator or something else.
TOTP code is like 5 lines. The hardest part is writing the seed to disk.
Glad these were answered:
Isn’t this the same as storing TOTP authentication codes in Bitwarden Password Manager?
Integrated TOTP authentication is a premium feature in Bitwarden Password Manager. Bitwarden Authenticator is a standalone mobile app that generates TOTP codes for any online service that supports them. Bitwarden Authenticator can be used without a Bitwarden account.
Should I use both? When should I use the integrated authentication feature? When should I use Bitwarden Authenticator?
Integrated authentication in Bitwarden Password Manager offers a convenient way for users to add 2FA to their online accounts. This popular feature will remain available across paid plans.
Bitwarden Authenticator can be used to store your verification codes to access your Bitwarden account, as well as other online applications you use.
They can be used together, or separately, depending on your security preferences.
Does this save to my cloud account with them or is it only local? I got screwed over by Aegis (my fault) when I got a new phone and forgot to back up Aegis and lost a lot of my logins. Some of them I can’t get unless I call the company and verify it’s me 🤦🏽♂️
Do backups kids. :)
I actually keep an authenticator app on my desktop, so I always have two places for everything. Aegis on my phone and “Authenticator” on my Linux desktop.
Wait, I’m a second child, am I a backup kid?
Then how do you secure the backup without 2FA?
Or is it 2FA all the way down?
You could store it on an external drive. You can encrypt it with VeraCrypt as well.
Aegis encrypts it with a password, then you copy it somewhere. It’s just a set of keys and you can have as many copies as you want (I have three, one phone and two desktops).
Aegis doesn’t run on your desktop using the same key, it’s just a key stored there, right?
No, I use a different authenticator app (called Authenticator in the Flatpak store), but it does use the same keys. So I import the keys from an Aegis dump so I can generate exactly the same keys on my desktop app that I do on my phone.
TOTP is a really simple system, as long as I have access to the secret key and a reliable time source, I can generate the exact same tokens as any TOTP app would.
How do I do the backup for Aegis? I looked at it and it’s set up but then at the bottom it says no backups have been made 🤔
Settings > Import/Export > Export
This dumps it to a file, then it’s on you to copy it somewhere else.
Or
Settings > Backups
I think this one is automated, but I personally don’t use it, I just back it up manually when I add something new. I keep a completely functional 2FA app on my desktop, so I always have a backup in a pinch.
Thanks!
I backup everything, but Aegis
Aegis does automatic backups. I guess you didn’t turn it on?
Guess I didn’t. I hate me even more now
The penguin is dead 😂
😂 I guess it is. Damit
I spelled your username wrong. I thought the q was a g. 😂
I don’t care. It’s meant to be a penguin with a q.
Yubikey and yubico authenticator is king. Just need multiple keys. Stick it in a PC or tap it on your phones nfc… bam totp code pulls up.
Just like in the password manager, they ignored HOTP. Oh well.
Could you tell me more ?
HOTP is an HMAC-based OTP, whereas TOTP is a time-based OTP. Basically, this is how each works:
- HOTP - based on a key + a counter, which increments with each code generated
- TOTP - based on a key + time, so you get a new key every N seconds
TOTP is quite common and honestly is all I use, whereas HOTP may be more common in certain enterprises. Main criticisms:
- HOTP - longer time window for a key to be valid for the entire time between logins (i.e. potentially easier to brute force)
- TOTP - less user-friendly due to the time window; also, you just need a clock, you don’t need to know the counter value (if someone gets the key, they can generate keys whenever)
Gotcha, thank you very much.
Nice! I currently have a couple of services on MS Authenticator that I can migrate over.
Nice. But as a BitWarden user, it’s useless to me. I’ve never put all my eggs in one account basket.
Passwords on one service, MFA on another, email on yet another, etc.
Any reason to switch from Aegis?
Not yet.
No icons, no ability to save notes, a URL or back it up in an encrypted json.
I will definitely keep an eye on it though.Thats what i want to know, i use Authy, and want to know if its worth switching for.
Honestly, TOTP is so simple it would take a lot to switch from Aegis, and most of that would be from Aegis screwing up.
deleted by creator
Is there anything about Aegis that makes it better than Authy? Just looking at the page for Aegis, I’m not seeing a lot of difference. And it being Android only limits it.
It’s open source. Authy isn’t.
Ah, gotcha. Makes sense.
Good. They make great stuff.
I’m not putting my totp with my password, same as I’m not putting my password with my email (proton)
It’s a separate app with no sync to Bitwarden accounts.
Still, I bet they share a lot of the same backend and personell.
personell doesmt matter as it’s zero knowledge?
And seemingly reading beyond the headline is also not your thing.
This is a separate app unconnected to your bitwarden account…Exactly, from a security perspective, it’s a bad idea to put 2 factor tokens together with your passwords. You effectively eliminate the security benefit that 2 factor provides if you do because if people get into your password manager, they have everything they need to access your accounts. The only people it “helps” having it all in one app are people who don’t understand the purpose of 2 factor and just see it as an inconvenience when services force it on them. Even though I use BitWarden for passwords, I don’t think that I’ll be changing from Aegis to BitWarden’s stand-alone authenticator because Aegis is doing its job nicely.
That’s also part of why I’m against the new passkeys. I think passkeys could replace either passwords or tokens, but not both.
It really depends on your threat model. It’s not a one size fits all thing.
For instance in some threat models you shouldn’t have TOTP auth and passwords on the same device, let alone the same app, but the vast majority of people are not going to carry two devices because of how inconvenient it is.
I assume its still absolutely impossible to migrate from one authenticator app to another without having to set it all up again?
You can use Authenticator Pro (android, opensesource) and Proton Pass, both let you copy the TOTP generation code to paste into another without problem. Both generate exact code
In fact that’s how I am using them right now, with Authenticator Pro is my on-device, offline, encrypted backup offline backup TOTP for Pass.
I guess it is not as straight forward as export import as you hope, but it’s not as bad as other options used to be.
As long as you can access the keys, you can swap authenticator apps.
I tried a few until I landed in Aegis, and I have two on my desktop that I’m trying out as well. Just get something that allows exporting the keys and there will be a path to switching apps.
“Import” does appear on the roadmap for this month, we probably can’t know what’s the scope fr that but you’llhave your answer soon :p
Authy killed their Windows app so its been on my mind. Im trying to use Roboform integrated mfa more, but i probably have 50 accounts in authy.
KeePassXC can do this as well. I had no idea until I saw a post on here where someone mentioned it. Here’s the documentation.
Jesus fuck. How many more authentication apps do we need that all do the same thing?
At work I need at least 4-5 different authentication apps because every customer has something different.
We don’t need another.
You only need one app, as long as the totp is implemented in a standardized way.
deleted by creator
Random number generator 2fa?
Currently use Raivo on iOS. If this is offline only and has a way to export I may change.
I personally have no use for this since I use Aegis and sync it with my synology drive
