It’s funny when you mention the webauthm pricing issue together with open source as if you actually would have checked, when self hosting bitwarden it is not paywalled so that invalidates your argument.
Nevertheless I agree that paywalling security is odd. I would have suggested other restrictions, but just pay 30 a year for your family and you can share passwords to your netflix accounts 
You’re missing my point.
[1] I never questioned the reputation or motives of Bitwarden.
Like I said, I’m a paid user, and I wouldn’t go with Bitwarden if I didn’t trust them.
[2] I also never dismissed the financial aspect.
I never said they’re not allowed to make money or should be a non-profit organization, or criticized them for being a for-profit company.
I specifically said that a strong 2FA option shouldn’t be the thing that they highlight to entice free users.
[3] I also never said regional pricing is a common thing.
I was talking about regional pricing in regard to accessibility of Bitwarden and its many features for many people around the world.
[3] Paywalling security is just unusual and seems inconsistent with the aim of providing a highly secure password manager (though not in any way a dealbreaker for me).
This is especially true when competitor like Psono doesn’t paywall a strong 2FA option.
Pointing this out is not an attack on Bitwarden as a product or company.
Biwarden paid tier offers things like encrypted file attachments, authenticator, emergency access, priority support, encrypted password sharing and etc.
These extras should be compelling enough to convince someone to spend $1 a month.
[4] Self-hosting isn’t an option for everyone, whether due to pricing, technical knowledge, or etc.
More importantly, FIDO2 WebAuthn as 2FA is still paywalled even if you self-host, last time I checked when considering self-hosting.
[5] If you think that Venezuela, Turkey, or Argentina are representative examples of what I meant, you really need to expand your world view.
Anyways, it’s not my intention to hijack a thread about Proton Pass to talk about another product, so I’ll stop now…
I specifically said that a strong 2FA option shouldn’t be the thing that they highlight to entice free users.
I can respect where you are coming from, and feel that generally speaking encouraging security best practices or at least not discouraging them is commendable. But In my opinion, hardware 2fa support is exactly the type of thing that is reasonable to include as a premium feature considering that:
For those that have access to this, does it have 2fa like in bitwarden free? Tx
Nextcloud also encrypts your data so essentially double encryption.
TBH, while proton pass is good, it is not good enough yet to be listed. It needs time. At least 6 months more, to come to the level of Bitwarden in ease of use. While the Firefox extension is good, the android app is nowhere close to Bitwarden’s in ease of use, and comfort. Better to look back at Proton Pass after a couple of more months, and to shelf this suggestion for now. One point Where Proton Pass exceeds Bitwarden currently is that the UI Design looks a lot nicer and beautiful than Bitwardens.
Yes it does
what do you mean by supporting 2fa? If you’re talking about putting 2fa for accounts in the password manager, that won’t make any difference to security, assuming your randomly generated passwords are already long enough.
Whole point of 2fa is to protect accounts if your password manager somehow gets compromised, whether that be due to malware on your device, or a breach of the password manager. If you’re putting 2fa secrets in the password manager… that’d also be compromised along with the passwords.
Anyone know if this is selfhostable? As not being able to self-host it would be a deal breaker for me.
Gotta say, the overall ui & simplelogin integration of protonpass looks nice
Yes putting 2fa totp inside password manager. I currently use keepassxc but no sync 
i need cross platform, and would like sync.
Bitwarden for passwords.
Yes putting 2fa totp inside password manager.
Yeah i wouldn’t bother doing this, just gives people a false sense of security really. Theres no increase in security unless the service you’re using is capping password length to a very small number of characters, in which case 2fa would increase entropy.
If you want 2fa to actually serve a purpose, keep it on a seperate device like a phone, its not meant to in your password manager or synced. Authenticator Pro or raivo if you’re on ios, are good apps for it.
2fa the password manager login I think
Probably why I now use yubikey or yubico authenticator
I respectfullly disagree. I used to share this opinion, but I came to realize it was a misconception on my part.
The “Whole point” of 2fa has nothing to do with password managers. 2fa can mitigate the harm caused if your vault is breached, but this is not the only (or even primary) reason 2fa exists, and the other benefits still apply if you keep your 2fa secrets in your vault. (and remember that your vault should be protected with it’s own 2fa so any attacker who gains access to your vault has already demonstrated an ability to get around your 2fa at least one time).
A password manager breach is one of the most catastrophic BUT least likely ways in which your accounts can be compromised.
Conceptually 2fa simply means that we raise the bar for accessing an account from one ‘factor’ to two ‘factors’ (something you know (a password) and something you have (access to, like a phone, a security key, etc). This is a rather simple concept that can apply to your security in various ways.
The likelihood of one of your accounts being breached due to your password manager vault itself being breached is substantially less likely than some of the more common ways accounts are compromised:
In all of these cases–which are more common than password manager vault breaches–using 2fa through your password manager would provide the same degree of protection as 2fa from another app or hardware key. 2fa in any form will meaningfully improve security over no 2fa at all. And the likelihood of your password manager being breached is much lower than other threats that 2fa might protect against.
using 2fa through your password manager would provide the same degree of protection as 2fa from another app or hardware key
First of all, hardware keys share one key advantage over software, in that its not prone to phishing, so they shouldn’t be grouped together
Second, there’s quite literally zero increase in security when putting 2fa secrets in your password manager. What possible attack scenarios would it protect against?
Two reasons to use 2fa, (alongside a password manager), would be:
the PW manager encountering a breach
Or more likely, the user’s computer being infected with malware. However these are only valid when 2fa secrets are stored on a seperate, secure, device.
When placing 2fa secrets in the password manager, you’d be compromised in both of these scenarios, if the PW manager has had a breach, your 2fa secrets are also gone. If you were infected with malware which gets your PW manager’s database, it would also have access to your 2fa secrets.
Malware/Spyware/targeted keylogging attack
as mentioned above
Sloppiness, negligence, or laziness on your part - reusing passwords
You’d be breaking the fundamental reasons to use a password manager by re-using passwords. If you created a unique password per service, you’d be protected against this.
Getting your credentials through Phishing or human engineering.
software 2fa wouldn’t protect against this
A breach of the remote website, server or service
passwords should be unique
Storing 2fa secrets in a password manager only leads to a false sense of security, you might as well just not use 2fa for convenience if the passwords you generated via the PW manager were long enough.
Respectfully, I believe this is very poor advice based on a misconception.
Second, there’s quite literally zero increase in security when putting 2fa secrets in your password manager. What possible attack scenarios would it protect against?
It would provide protection in any attack scenario where any other form of (TOTP) would protect you, except for the unlikely scenario of a properly secured vault being breached. When comparing between TOTP stored in your vault versus TOTP (or SMS or e-mail), storing TOTP in the vault is at least as secure as the others in all areas except for one of the less likely scenarios (a vault breach).
As you correctly stated hardware keys are a separate topic that shouldn’t be grouped into a comparison of TOTP stored in the password manager vs TOTP in a standalone app, so lets leave them out of this discussion.
Compared to TOTP through your password manager, you will be marginally more secure with a separate (password protected) TOTP app against one threat vector, and marginally more secure with hardware 2fa than any form of TOTP. But the difference is marginal.
In a nutshell my perspective is this: If you want the absolute highest security a hardware key/token is the best choice for a 2nd factor. But if TOTP is sufficiently secure for your threat model, the difference in security between a standalone TOTP app and using your password manager as a TOTP app is at best marginal, and you should choose whatever is most comfortable/convenient for you or whatever makes you feel comfortable.
It would provide protection in any attack scenario where any other form of (TOTP) would protect you
But what specific scenarios would 2fa, (when having 2fa secrets stored in the same PW manager), protect against? The two I mentioned weren’t prevented when storing 2fa secrets in the PW manager.
Proton Pass has been released to everyone.
I gave it a try. For the coming year I’m going to still use bitwarden. Is so much better right now, and also I already have it configured like I wish.
Tried proton pass specifically for 2fa topt codes. Happy it works but sad its a paid thing. Game over. Until they make it free 2fa top codes i cant use it for I’m poor af.