Bitwarden Authenticator

Looks like this has changed very recently:

1 Like

They just added the functionality yesterday on iOS.

The apparent inclusion of tokens in iCloud backups with no clear option to disable it should probably be a consideration in recommending this. It’s not clear whether they are encrypted in any way before sending to iCloud, and not everyone has Advanced Data Protection enabled.

Just a reminder, having your 2FA in the same spot as your passwords means you don’t have 2FA.

That’s not usually true. The password can be stolen / phished / hacked, but it’s useless without the TOTP code which is only valid for 30 seconds. Of course, if your TOTP seed (from which the codes are derived) is stolen, then yes.

Maybe I’m misunderstanding here, but if somebody was to somehow get into your Bitwarden, would they not have both the passwords and a brand new code every 30 seconds?

This is much less secure than having your passwords in Bitwarden and then your 2FA in something like Proton Pass or Aegis, where if somebody gets into my Bitwarden, it doesn’t matter, because they can’t get the codes.

You’re right, that’s true if you have your Bitwarden and Aegis on different devices or secured by different passwords (i.e. the attacker has access to one but not the other app), and no recovery codes are saved in Bitwarden either.

1 Like

Bitwarden Authenticator is totally different app from Bitwarden Password Manager. They don’t have an integration between each other. BW Authenticator doesn’t require an account too.

1 Like

I used to hold that opinion, but it seems like an overly black and white statement that is unintentionally misleading.

What you’ve said is true against one specific important but less likely category of threat: your password manager vault is breached by an attacker who has not compromised the device you use for totp. It is true that in this specific context, storing 2fa secrets totally separate from your passwords would offer a meaningful second layer of defense.

But a breach of our password manager vault is nowhere near the most likely or most common way that our accounts typically get compromised. A server side breach or hack of a service you use, or phishing, social engineering, malware, and/or someone close to you with physical access to your device, are typically more common threats, and in these cases storing TOTP in a separate app or inside your password manager, usually won’t make much of a difference, because the attacker doesn’t have and didn’t need access to your unencrypted vault.

I think you can and should feel more secure storing your totp secrets separately from your passwords/logins, But you shouldn’t frame not doing so as equivalent to not using 2fa at all. Because in most cases–apart from a breached vault–a similar level of protection is achieved regardless of whether your totp is stored within your password manager or in a standalone app. At least that is how I see it.

Also with Bitwarden, the choice is yours, they offer TOTP in the password manager itself, and they now offer this standalone app as well.

3 Likes

Awesome! Seems like a long time coming for, what I think, should be a day 1 feature. Better late then never I guess :smiley:

Imported from Aegis on my Pixel 7 with GOS, worked without any issue.

Probably still not ready to daily drive, even though I will keep it updated. Until I can set a password I probably wouldn’t consider it.

Even then, without the password manager sync feature being ready, there doesn’t seem to be any incentive to switch from Aegis, which is a much more polished product at this point.

Overall super happy to see progress. Really want this to be great!

I don’t really understand the logic behind this.

If your vault already has MFA, then anything in the vault already has two factors of authentication to be able to access.

For example, if your proton email password and token are in BW vault, which also has a password and token or security key needed to access it, how would one see that as only one factor of authentication?

EDIT: sorry for the two comments in a row. Mods feel free to combine them in some way if you want.