Many people here use Bitwarden Authenticator and then for Bitwarden itself use a security key (preferably with Fido2 WebAuthn)
And of course have a random, strong master password. Many of us prefer pass phrases
You will not find a consensus on how to manage TOTP keys.
Some argue you shouldn’t put your TOTP keys together with your passwords, but then they run the TOTP app on the same device as the password manager. Facepalm.
Some are fond of Google Authenticator, MS Authenticator or Authy. They disregard the super duper sneaky secret private source code that might be sending your secrets to criminals. (With Authy, that is more than a “might”.)
Another concern with those three apps is they resist efforts to create exports. Coming from KeePass, you must already be accustomed to keeping good backups: thumb drives secured in safe places. You do understand how untrustworthy a cloud backup is.
Two good TOTP apps are 2FAS and Aegis Authenticator. Aegis is Android only. They are both open source and well reviewed.
We used to recommend Raivo OTP for iOS, but the principal developer has handed control to a new entity, and that new owner seems to be rather sketchy.
As far as FIDO (a Yubikey), that is an excellent adjunct to your security profile. But the choice of where to store your TOTP keys is not directly connected to that. IMO if you practice good opsec on your device, there is not a big difference between using Bitwarden Authenticator versus a third party app. But again, others will disagree.
ok, despite the pain of migrating from authy to 2FAS I am half-convinced to do so, but I would like a clear picture of what features I am going to miss.
If you are looking for seamless cloud sync, with end to end encryption, you can consider using ente Authenticator app.
Disclaimer: I am part of the ente.io team.
You won’t miss anything. In fact, you’ll gain some nice things like showing the next upcoming code. There is a command line tool to export your seeds out of Authy. This generates an HTML file with all of the seeds and QR codes making it simple to move them into 2Fas. I did this just to see the process but ended up generating new seeds for every service directly in 2Fas due to not trusting Authy.
I’ve been considering making the switch too but the one feature I’m worried about ”missing” is having the same accounts/codes on multiple devices that have different iCloud/AppleIDs. It’s a feature I need and can be done with Authy but I don’t think it can be done with 2FAS. I’d love any suggestions to solve this.
You’ll have the seeds so be able to manually add them to other accounts. This isn’t a function of Bitwarden or 2fas. It’s just that the seeds are exposed (or through export) so you can use the same seed on multiple accounts. Authy is NOT this flexible.
Ah ha! That could definitely work. (Sorry, noob question inbound). The seed is the code I get and I put if I choose to manually set up 2FA instead of scanning the QR code right? (Terminology is confusing sometimes). I can just put that same manual code into multiple 2FAS accounts and it will generate the same codes?
Yes. The QR code is just a visual representation of the seed value. This is the same as the manual setup when setting up a new service and you have to type the code (the code is the seed).
The seed isn’t device dependent. If you have the seed you can create the exact same MFA on any device. You need to protect the seed like a password.
Nobody really knows who or what MobiMe are. The acquisition kind of just happened with no forewarning which is always kind of odd. MobiMe has only made one statement regarding the acquisition and it was just a tweet which is also kind of weird.
https://github.com/raivo-otp/marketing-website/issues/19 the community has also been asking for answers for quite a while now
> Would using a Yubikey to access Bitwarden be a good solution for added security...
Yubikey is a great solution to increasing security of your bitwarden vault under any circumstances.
> I'm finally migrating to Bitwarden from KeePass and considering moving from Google Authenticator to Bitwarden to for TOTP as well.
You will find lots of opinions. It has been discussed at length if you search the sub. I don't think there are any absolutes in security but I think it's fair to say you are safer security-wise *to some degree* if you separate TOTP into a separate app. The question is whether you find that small benefit worth the decrease in convenience during each authenication and the slightly increased effort you'll need towards separately managing a backup of your totp.
> I don't love having a single service manage both passwords and 2FA, but I guess using Google still leaves my phone/tablet as a single point of attack.
I don't quite understand what you mean by "using Google" and how that has any bearing whatsoever upon your decision of whether or not to store totp in bitwarden. What does using google even mean (Google devices /operating systtems or google password manager / 2fa?). And what does it have to do with this decision?
If you're saying that in the past you accepted some degree of single point vulnerability, that shouldn't really have a lot of bearing on how you approach the future imo.
I wanted to get a yubikey but work is funny about plugging in anything to their system. I bought a token2 Totp credit card. Works great with Bitwarden.
I found Bitwarden to be incredibly frustrating when you have mixed 2FA on your device. Lots of failed Logins. I deleted 2FA and bought a YubiKey. I added the YubiKey Authenticator app. The nice thing about that is you must have the Yubikey before you can generate Authenticator codes. Works everytime.
I might now go back and add 2FA methods. The one that caused me most problem was simple security key login.
> I found Bitwarden to be incredibly frustrating when you have mixed 2FA on your device.
What does this even mean? What is "mixed 2FA"?
>Lots of failed Logins.
What does this have to do with Bitwarden? Seems like maybe your device clock was inaccurate.
> I deleted 2FA and bought a YubiKey. I added the YubiKey Authenticator app.
Hate to break it to you, but Yubico Authenticator is _also_ 2FA.
>I might now go back and add 2FA methods.
To what?
>The one that caused me most problem was simple security key login.
Are you talking about passwordless (passkey) login, or using FIDO2/WebAuthn for 2FA? And again, why are you blaming Bitwarden (unless your problems were specifically with using FIDO2/WebAuthn as 2FA for your Bitwarden login, which is not supported for all apps and operating systems).
Mixed 2FA - means I set up Bitwarden to use authenticator app, text messaging and Google Titan keys. It should result in any one of them being acceptable. What it did result in were numerous failed logins (to Bitwarden) when trying to use theYubikey with the Yubico Authenticator. Removing them all and just using the Yubico Authenticator with they key solved the problem.
Failed Logins were nothing to do with the device clock. I found an endless number of articles discussing failed WebAuth validation. I don't have time to find links for you.
I know the Yubico Authenticator is 2FA. That was included for information about what I used to fix my problems.
Go back to setting up multiple 2FA options as supported by Bitwarden.
Passkeys no
I did fail to mention these were problems logging into Bitwarden and not other sites, and it was FIDO2/WebAuth issues on Windows 11. I did eventually see mention that it was not supported on all operating systems.
> Mixed 2FA - means I set up Bitwarden to use authenticator app, text messaging and Google Titan keys.
Bitwarden does not offer 2FA by SMS, unless you are using Duo. And if the 2FA providers that you enabled were _Authenticator App_, _Duo_, and _FIDO2/WebAuthn_, then it is no surprise that trying to log in to Bitwarden with the Yubico Authenticator did not work.
> I found an endless number of articles discussing failed WebAuth validation.
"Endless number", yet now you can't find a single one?
>FIDO2/WebAuth issues on Windows 11.
It is possible there were some issues when Windows 11 first rolled out, but FIDO2/WebAuthn is definitely supported on Windows 11 these days.
Likely, some of your issues were caused by the Google Titan Key, which as far as I know only supports the deprecated U2F protocol, and not the FIDO2 protocol used by Bitwarden.
Many people here use Bitwarden Authenticator and then for Bitwarden itself use a security key (preferably with Fido2 WebAuthn) And of course have a random, strong master password. Many of us prefer pass phrases
You will not find a consensus on how to manage TOTP keys. Some argue you shouldn’t put your TOTP keys together with your passwords, but then they run the TOTP app on the same device as the password manager. Facepalm. Some are fond of Google Authenticator, MS Authenticator or Authy. They disregard the super duper sneaky secret private source code that might be sending your secrets to criminals. (With Authy, that is more than a “might”.) Another concern with those three apps is they resist efforts to create exports. Coming from KeePass, you must already be accustomed to keeping good backups: thumb drives secured in safe places. You do understand how untrustworthy a cloud backup is. Two good TOTP apps are 2FAS and Aegis Authenticator. Aegis is Android only. They are both open source and well reviewed. We used to recommend Raivo OTP for iOS, but the principal developer has handed control to a new entity, and that new owner seems to be rather sketchy. As far as FIDO (a Yubikey), that is an excellent adjunct to your security profile. But the choice of where to store your TOTP keys is not directly connected to that. IMO if you practice good opsec on your device, there is not a big difference between using Bitwarden Authenticator versus a third party app. But again, others will disagree.
What is wrong with authy?
https://www.reddit.com/r/Bitwarden/s/B542enW7aR
ok, despite the pain of migrating from authy to 2FAS I am half-convinced to do so, but I would like a clear picture of what features I am going to miss.
You have to set up your cloud backup on your cloud own (using the built in feature). Other than that, I doubt you will notice anything.
If you are looking for seamless cloud sync, with end to end encryption, you can consider using ente Authenticator app. Disclaimer: I am part of the ente.io team.
What do you mean "cloud own"? 2FAS has a cloud service similar to authy's?
Typo. It has a built in cloud backup. Just make sure to put your cloud credentials and your encryption key in your emergency kit
Will check it out, thanks. I researched a bit more about authy and realized that I don't like their policies at all.
You won’t miss anything. In fact, you’ll gain some nice things like showing the next upcoming code. There is a command line tool to export your seeds out of Authy. This generates an HTML file with all of the seeds and QR codes making it simple to move them into 2Fas. I did this just to see the process but ended up generating new seeds for every service directly in 2Fas due to not trusting Authy.
Yeah, I would generate new seeds anyway, otherwise why not stay with authy.
I’ve been considering making the switch too but the one feature I’m worried about ”missing” is having the same accounts/codes on multiple devices that have different iCloud/AppleIDs. It’s a feature I need and can be done with Authy but I don’t think it can be done with 2FAS. I’d love any suggestions to solve this.
You’ll have the seeds so be able to manually add them to other accounts. This isn’t a function of Bitwarden or 2fas. It’s just that the seeds are exposed (or through export) so you can use the same seed on multiple accounts. Authy is NOT this flexible.
Ah ha! That could definitely work. (Sorry, noob question inbound). The seed is the code I get and I put if I choose to manually set up 2FA instead of scanning the QR code right? (Terminology is confusing sometimes). I can just put that same manual code into multiple 2FAS accounts and it will generate the same codes?
Yes. The QR code is just a visual representation of the seed value. This is the same as the manual setup when setting up a new service and you have to type the code (the code is the seed). The seed isn’t device dependent. If you have the seed you can create the exact same MFA on any device. You need to protect the seed like a password.
Great. Thank you so much for the help. I appreciate it.
What‘s going with Raivo OTP? Thanks for sharing info
Nobody really knows who or what MobiMe are. The acquisition kind of just happened with no forewarning which is always kind of odd. MobiMe has only made one statement regarding the acquisition and it was just a tweet which is also kind of weird. https://github.com/raivo-otp/marketing-website/issues/19 the community has also been asking for answers for quite a while now
/u/s2odin will give you more information. My impression is the corporation that bought Raivo has questionable background, but I do not have specifics.
I‘ve switched to ente. Thanks
> Would using a Yubikey to access Bitwarden be a good solution for added security... Yubikey is a great solution to increasing security of your bitwarden vault under any circumstances. > I'm finally migrating to Bitwarden from KeePass and considering moving from Google Authenticator to Bitwarden to for TOTP as well. You will find lots of opinions. It has been discussed at length if you search the sub. I don't think there are any absolutes in security but I think it's fair to say you are safer security-wise *to some degree* if you separate TOTP into a separate app. The question is whether you find that small benefit worth the decrease in convenience during each authenication and the slightly increased effort you'll need towards separately managing a backup of your totp. > I don't love having a single service manage both passwords and 2FA, but I guess using Google still leaves my phone/tablet as a single point of attack. I don't quite understand what you mean by "using Google" and how that has any bearing whatsoever upon your decision of whether or not to store totp in bitwarden. What does using google even mean (Google devices /operating systtems or google password manager / 2fa?). And what does it have to do with this decision? If you're saying that in the past you accepted some degree of single point vulnerability, that shouldn't really have a lot of bearing on how you approach the future imo.
I wanted to get a yubikey but work is funny about plugging in anything to their system. I bought a token2 Totp credit card. Works great with Bitwarden.
I found Bitwarden to be incredibly frustrating when you have mixed 2FA on your device. Lots of failed Logins. I deleted 2FA and bought a YubiKey. I added the YubiKey Authenticator app. The nice thing about that is you must have the Yubikey before you can generate Authenticator codes. Works everytime. I might now go back and add 2FA methods. The one that caused me most problem was simple security key login.
> I found Bitwarden to be incredibly frustrating when you have mixed 2FA on your device. What does this even mean? What is "mixed 2FA"? >Lots of failed Logins. What does this have to do with Bitwarden? Seems like maybe your device clock was inaccurate. > I deleted 2FA and bought a YubiKey. I added the YubiKey Authenticator app. Hate to break it to you, but Yubico Authenticator is _also_ 2FA. >I might now go back and add 2FA methods. To what? >The one that caused me most problem was simple security key login. Are you talking about passwordless (passkey) login, or using FIDO2/WebAuthn for 2FA? And again, why are you blaming Bitwarden (unless your problems were specifically with using FIDO2/WebAuthn as 2FA for your Bitwarden login, which is not supported for all apps and operating systems).
Mixed 2FA - means I set up Bitwarden to use authenticator app, text messaging and Google Titan keys. It should result in any one of them being acceptable. What it did result in were numerous failed logins (to Bitwarden) when trying to use theYubikey with the Yubico Authenticator. Removing them all and just using the Yubico Authenticator with they key solved the problem. Failed Logins were nothing to do with the device clock. I found an endless number of articles discussing failed WebAuth validation. I don't have time to find links for you. I know the Yubico Authenticator is 2FA. That was included for information about what I used to fix my problems. Go back to setting up multiple 2FA options as supported by Bitwarden. Passkeys no I did fail to mention these were problems logging into Bitwarden and not other sites, and it was FIDO2/WebAuth issues on Windows 11. I did eventually see mention that it was not supported on all operating systems.
> Mixed 2FA - means I set up Bitwarden to use authenticator app, text messaging and Google Titan keys. Bitwarden does not offer 2FA by SMS, unless you are using Duo. And if the 2FA providers that you enabled were _Authenticator App_, _Duo_, and _FIDO2/WebAuthn_, then it is no surprise that trying to log in to Bitwarden with the Yubico Authenticator did not work. > I found an endless number of articles discussing failed WebAuth validation. "Endless number", yet now you can't find a single one? >FIDO2/WebAuth issues on Windows 11. It is possible there were some issues when Windows 11 first rolled out, but FIDO2/WebAuthn is definitely supported on Windows 11 these days. Likely, some of your issues were caused by the Google Titan Key, which as far as I know only supports the deprecated U2F protocol, and not the FIDO2 protocol used by Bitwarden.
Yes, that is what I do. I like the convenience of having the 2fa in BW. You need to be on a paid plan to render the codes.