Looks like this has changed very recently:
https://redlib.nohost.network/r/Bitwarden/comments/1dezfku/bitwarden_authenticator_adds_import_options_for/l8fbuyt/?context=3
1 Like
They just added the functionality yesterday on iOS.
The apparent inclusion of tokens in iCloud backups with no clear option to disable it should probably be a consideration in recommending this. Itâs not clear whether they are encrypted in any way before sending to iCloud, and not everyone has Advanced Data Protection enabled.
Thatâs not usually true. The password can be stolen / phished / hacked, but itâs useless without the TOTP code which is only valid for 30 seconds. Of course, if your TOTP seed (from which the codes are derived) is stolen, then yes.
Youâre right, thatâs true if you have your Bitwarden and Aegis on different devices or secured by different passwords (i.e. the attacker has access to one but not the other app), and no recovery codes are saved in Bitwarden either.
1 Like
Bitwarden Authenticator is totally different app from Bitwarden Password Manager. They donât have an integration between each other. BW Authenticator doesnât require an account too.
1 Like
I used to hold that opinion, but it seems like an overly black and white statement that is unintentionally misleading.
What youâve said is true against one specific important but less likely category of threat: your password manager vault is breached by an attacker who has not compromised the device you use for totp. It is true that in this specific context, storing 2fa secrets totally separate from your passwords would offer a meaningful second layer of defense.
But a breach of our password manager vault is nowhere near the most likely or most common way that our accounts typically get compromised. A server side breach or hack of a service you use, or phishing, social engineering, malware, and/or someone close to you with physical access to your device, are typically more common threats, and in these cases storing TOTP in a separate app or inside your password manager, usually wonât make much of a difference, because the attacker doesnât have and didnât need access to your unencrypted vault.
I think you can and should feel more secure storing your totp secrets separately from your passwords/logins, But you shouldnât frame not doing so as equivalent to not using 2fa at all. Because in most casesâapart from a breached vaultâa similar level of protection is achieved regardless of whether your totp is stored within your password manager or in a standalone app. At least that is how I see it.
Also with Bitwarden, the choice is yours, they offer TOTP in the password manager itself, and they now offer this standalone app as well.
3 Likes
Awesome! Seems like a long time coming for, what I think, should be a day 1 feature. Better late then never I guess 
Imported from Aegis on my Pixel 7 with GOS, worked without any issue.
Probably still not ready to daily drive, even though I will keep it updated. Until I can set a password I probably wouldnât consider it.
Even then, without the password manager sync feature being ready, there doesnât seem to be any incentive to switch from Aegis, which is a much more polished product at this point.
Overall super happy to see progress. Really want this to be great!
I donât really understand the logic behind this.
If your vault already has MFA, then anything in the vault already has two factors of authentication to be able to access.
For example, if your proton email password and token are in BW vault, which also has a password and token or security key needed to access it, how would one see that as only one factor of authentication?
EDIT: sorry for the two comments in a row. Mods feel free to combine them in some way if you want.