I switched to Bitwarden when LastPass started using silly tactics to make customers pay. I didn't switch because of the price - the service pricing of Bitwarden was a pleasant surprise.
I switched because I lost all trust in LastPass.
Managing credentials and sensitive information is all about trust. The second I lose trust in that kind of service, I don't just stop using it, I will most likely never even consider coming back as a customer and I will warn people against them. I don't give second chances to services that are trust based.
I'm pretty happy with Bitwarden so far. But if they betray my trust I'll be out of there in a day, never to return. I switched from LastPass to Bitwarden in a day. LastPass never gets a second chance.
What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.
> I don't give second chances to services that are trust based.
You might run out of services then at some point.
Human beings are fallible, full stop. Also, a company isn't an individual -- management teams change, corporate priorities change, security practices improve. Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.
Refusing to give any company a second chance ever is pretty extreme. Each individual case needs to be handled on its merits -- what happened, why did it happen, do you think the company learned and implemented new policies, how many other undiscovered vulnerabilities do you think are still there? But also, how many other undiscovered vulnerabilities do you think are still there for competitors as well? Just because a competitor hasn't had a breach doesn't necessarily means it's better, it might just be lucky so far.
2001-2007, I had multiple bad experiences with Compaq, Lexmark and HP. These were so bad in terms of cost and frustration I vowed I would never buy their products or services again. It's been... 15+ years. The tech world of today is not quite the tech world of 2003. Should I ever bother with a Compaq or HP again? I probably won't, but the 'avoid at all costs' just isn't there with me any more. Perhaps I've mellowed slightly in the past 15-20 years.
> Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.
Not the OP but i have a similar stance. However a mistake from individual employee doesn't mean that i instantly loose trust. Its the handling of the mistake what matters to me. Sweeping it under the carpet, dening their mistakes or outright lieing about mistakes is what results in me loosing trust.
> You might run out of services then at some point
I prefer using services for my password management (I'm a bitwarden user who's currently happy as well), but I would jump back to some sort of self-hosted or even offline/manual sync solution if I thought that was the only way to keep my passwords safe. I like the convenience of a service, but I would sacrifice it over my security if it got to the point where I had to choose between the two.
BitWarden is based almost entirely on open source so it's possible to branch the project. Given some of the language on their website and their more recent attitude towards OS licenses, my prediction is that they will use the new funding to build as many closed source modules as possible to increase user switching costs, similar to what Google is trying to do with Chrome on top of Chromium. But that is a slow process that takes years, and a lot can happen between now and then.
I don't think Dell or HP make their own computers anymore - consumer stuff is all outsourced to Taiwanese/Chinese OEM's (Quanta,Wistron etc ...) - they probably still only make servers in house.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.
They don't care as long as they can extract their profit before that happens. This is VC, they will prioritize medium term gains over long term stability.
On HN, VCs are either ruthless short-term profit extracting machines or overly optimistic clowns investing in hopelessly unprofitable companies on the promise of future growth, depending entirely on the point currently being made.
I bailed on lastpass when they doubled the annual price for the second year in a row. They had also just been acquired by LogMeIn, who didn’t have a great reputation.
I don’t know if I can manage another service switch. I can do it just fine, but my wife is more resistant to these kinds of changes and we need to be on the same page on this.
LastPass pricing model is what turned me off. I am happy to pay for services I use regularly, but I remember the pricing model didn't seem appropriate for what they were offering. The short cutoff period added insult to injury.
I checked out Bitwarden and it seemed like a better version of LastPass that just happened to be free. Their paid model doesn't appeal to me so I don't subscribe, but I would enjoy paying if they offered something that did.
(Off-topic: Bitwarden seems like an exact LastPass clone all the way down to the UI. Do they share a similar codebase or something? Like was one forked from an OSS version of the other?)
Same, I even remember paying for LastPass for a bit. It was more that I wanted to support a service I liked (same reason I pay for other services). Though I find BW's paid model a bit surprising. I know it is only $10/yr, but the only real value here is 1GB storage and yubi/fido keys. I don't have yubi keys (they seem cool but also a pain in the ass) and 1GB seems rather small.
Looking at Google, Dropbox, and Apple, storage pricings range from 4GB/$ (Apple) to 20GB/$ (Google's 5+TB plans). I'm willing to bet that offering 5GB would make it more worthwhile and a very small fraction of your users would actually use it. What are you going to store? Your passport photo and driver's license? I wonder if there would be a psychological effect here because it is really hard to tell if 1GB is enough or not. At least your average person has no idea.
Ugh, I'm paying for LastPass because I haven't gotten around to switching to Bitwarden yet. They list a monthly price, but they actually charge you annually, so you're essentially locked in for a year (if you want to make the most of your money).
I didn't mind paying for Lastpass, but I started planning to move away when they were bought by LogMeIn because I've seen that company's acquisitions before.
Jumped from a paid LP plan to a Bitwarden family plan with sharing and emergency access and quite happy.
I mean, it's not as if these companies care for customers like you anyway. What they want is someone who is willing to purchase their product w/o making a fuss about the negative parts of their business. In fact, I bet LastPass is happy you left.
Doesn’t really matter what Lastpass did wrong, does it? The point is that trustworthiness is the single most important value for someone who wants users to entrust them with their credentials. Another point is how easily they can lose users. The poster lost trust in them, and was able to swap them out in a day.
Bitwarden already does one thing well. It's everything I'm looking for - open source, costs money but not much ($10/yr), 2FA, clean interface. I'm happy for the new investment, but I hope they don't start adding new things just for the sake of growing.
Also - to the people who analyze funding rounds - $100M sounds like a huge amount to me. Why would a password manager need so much money?
How did I have to scroll this far down to find someone who's actually read the post? Everybody seems to think the money is purely for expanding the password manager, while in the post they call out adjacent markets they want to expand to.
I'm cautiously optimistic that this could mean we won't see the end of Bitwarden, as those are areas where companies will pay big money.
Given apple's push for passwordless web in collaboration w/ Google and M$ [1], I was worried that BW will go out of business, but they have plans for this and I hope they succeed.
I would love for Bitwarden to use this money to make SSO available to all pricing levels. Currently, in order to use SSO with Bitwarden you have to be on their "Enterprise" plan. I think SSO is too important to gate behind a paywall, especially for a company whose main product is security.
> Why would a password manager need so much money?
The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.
I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.
It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.
And the three companies behind the major platforms - Google, Apple, and Microsoft - have all agreed on a standard and will integrate a solution into their operating systems.
1Password, a competitor, raised ~$650m earlier in the year off the back of exceptional growth. The investment case is likely: Bitwarden are doing well, 1Password are doing very well, maybe Bitwarden can do very well too with some additional capital. Password management is rapidly growing in mindshare, there's a big market and great room for growth, the amounts involved are commensurate with the opportunity -- every single enterprise will have a robust password management setup soon enough.
1Password is 4x the price and is not open source. Doesn't 1Password's stronger backing provide more risk for Bitwarden investors too (chasing the same customers but with less to spend on acquisition)?
Spitballing, $100M, assuming investors want 20% per annum return and Bitwarden do 50% profit ... they need 24M paying customers. Where are they at now?
They'll probably aim for competing with the likes of Okta in delegated authentication and identity management, which is a huge market which need some more competition. I'm in favor, and it really doesn't need to have any negative impact on their existing user base, at least so long as they can manage their growth and don't become a dysfunctional org because of it.
I just hope we won't get repeat of LastPass - some company buys it then just keeps on life support while raising prices.
Also "OSS" version is not really open source, it's just core and all the features you really want from password manager are behind the paid license anyway
Like what? All the features that password manager needs to have (and features that 99% of people need) OSS version have it. SSO, organization management etc. is not something that "password manager" needs to have.
A $100M round probably means a valuation around $500-600M. They now need to grow the company to a couple billion so it can either go public (when the IPO market is alive again in a few years) or be sold to a bigger enterprise player.
$10/year customers are completely irrelevant to a company at this stage. Open source is nice as a sales bullet point, but not a central focus.
I don't really want them to grow. Growing usually means overinflated expectations and when they aren't met by the new products they will try to retrieve the shortfall from their existing customer base with additional monetisation, driving them away in the process.
I hope it won't go this way here but such a cash buyin is usually the start of a difficult time.
> $10/year customers are completely irrelevant to a company at this stage.
Yet it's exactly the plan most customers and supporters would be on. So in other words, we don't matter anymore. This is why we can't have nice things :(
> Why would a password manager need so much money?
A cynical take on this would be the business is at a large enough volume and growing fast enough to be valued at a certain price (eg 400M), VCs want to own a certain percentage (eg 20%), so the math dictates the round needs to be 100M (100 / (400 + 100) = 20%). Then the founders put together some story that explains why they'd need 100M.
Not saying that's what happened here but I've seen it happen this way.
With smartphones leading the push towards digital everything, passwords (auth / authz) have become the most important asset, even for consumers.
Edit: An interesting conversation between Basecamp's DHH and 1Password's Teare on their series-a as an opportunity to de-risk the venture: https://archive.is/Kdnpz
Which has also become a single point of failure, and a target for social engineering since "lost device" or "stolen device" etc becomes to new defacto backdoor
These are all copyleft... with a CLA (contributor license agreement). It's the CLA that allows them the ability to dual-license for the server.
The VCs must really believe the company can produce a product based on Enterprise sales which would deliver a value North of $1B. And perhaps they can, as Bitwarden as we know it could be considered a strong beachhead to allow them to expand into other auth markets that have high value (hello Okta, Auth0, etc).
But this doesn't seem that scary for Bitwarden users at this point.
Oh dear, this isnt good news at all. Now they're going to be under pressure to produce excessive returns to fatten the company up for an IPO or sale. Having seen what happened to Lastpass when it was passed around from pillar to post this saddens me deeply. Lets see what anti consumer measures they start introducing to force us to pay more. Limitations on the free tier look likely and price rises as well.
It's weird seeing ppl downplay this exact scenario. They raised $100M, can they hit sales in a recession? Rates are rising for VCs, they need to generate a winner quickly more than ever. Just in time before the expected 75bps rate increase
For sure. Taking venture capital increases the odds of a large success, but also increases the odds of total failure. VCs are perfectly willing to blow up a modestly successful business if it means a chance at a giant success.
And from my perspective as a BitWarden customer, both of those outcomes could be worse for me. Obviously for failure, but many companies in their rush for new pots of money can do things that aren't great for existing customers. And then if those rushes don't work out, things like layoffs, reorgs, and other chaos can diminish customer focus, leading to long-term product decline.
Here we go again: Some company (in this case, Bitwarden) "betrayed" its customers by doing what every other firm does. And Hn goes brrr over it.
I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
> I wonder, aren't the majority of HNers working at a for-profit company funded by VCs?
they're probably over-represented given that this is an incubator-adjacent forum but startups are vastly outnumbered by both mature businesses as well as bog-standard privately owned businesses so probably not.
Most firms don't get a hundred million dollars up front, they grow products and revenue just like everyone else, with significantly fewer distortions to users or business models.
I guess I might be now that the directors of our little company have sold it, but I assure you I am substantially more mad about that sale than I am about the Bitwarden one.
We use BitWarden at work, we use their business/hosted offering.
We pay them $3600 per year.
Why is everyone so concerned? They’re popular enough in businesses. Their product is great for teams, hence why we pay for it. I’ve found it much better than alternatives. The killer feature for me has been safer account sharing, including 2FA (and I know it makes it somewhat redundant, but it’s safer than turning it off completely)
Indeed, they already have a business model, they won't need to cannibalize their open source password manager to make money here. They just need to grow the business side + offer new auth related services as they mention in the article.
LastPass tried to grow the B2C business which put more stress on the consumer product.
C# is a rarity in SV and startups in general. There's a resourcing constraint for a team hiring only geographically in SV.
SV and startups are dominated by JavaScript/TypeScript and Python. It makes the parts of the team a bit more plug-n-play and in some calculus, makes it easier to grow the team as the company grows.
There's also a bit of cultural asymmetry that may make it harder to hire experienced senior C# engineers. C# tends to be heavily used in enterprise so a startup competing for those resources may have a hard time because of that asymmetry with such engineers seeking more stability (both in terms of employment and codebase). Startups are built to go fast and break things which is the cultural opposite of enterprise where you plod carefully, plan, test, document, release, repeat.
There's always some consideration that C# may be a liability at due diligence. I can understand to some extent since it's much easier to hire for JS/TS or Python in SV than it is to hire for C#. Not that it can't be done and C# as a language is close enough to TS that a strong TS backend engineer can easily be trained to C#.
Glad for them and I really hope them to succeed in the long run, engrosing the list of successful bussiness based on OS.
As a side note, I've been tempted so many times at this point on getting a payed subscription and getting rid of my "keepass+keepassdb sync via Google drive+keepass keyfile local copy on each device" for the sake of making things simpler. I've read how the internals work, checked the auditories, read forums etc. Everything looks great, but I am always paranoid of some security issue arising and my passwords being leaked. I have my entire life pretty much on my password manager and that being exposed would be disatrous at so many levels. Probably just me being irrational.
Maybe some sort of self hosting arrangement would work for you? I self-host Bitwarden behind a Wireguard VPN so it's only visible to devices I've authorised. Self-hosting comes with it's own risks of course but you would at least be in control of your data.
I do the same. I run bitwarden_rs as a docker container on a raspberry pi on my home network. Then use wireguard so I am always connected to my home network.
This works great for my family. Simple set up, and I've done 0 maintenance on it.
I mean if your current setup works, why change it? I just hope you aren't too reliant in GDrive if your account ends up getting nuked as I've read so many times.
While I recommend Bitwarden to my not-so-technical friends, I don't think I'm ever going to move away from my Keepass/Nextcloud setup, it just works for me.
In the next couple of years, I expect FIDO2 Passwordless Auth to be ubiquitous, natively supported by all OS platforms. Built-in authentication credentials managers within Apple and Google/Android platforms will get more focused attention to improve them significantly. I suspect this should basically render the consumer market not monetizable. So, their free forever strategy here is aligned.
In corporate market, I would expect more ubiquitous integration of cloud hosted identity providers and separate SSO auth providers (which will do MFA with device bound certs, biometric auth and FIDO2 auth) with all the services and they would all be protected behind BeyondCorp style VPN solutions (think Cloudflare, Tailscale etc). In this market, I wonder how they will continue to grow.
Why is it impossible to find out what the typical user experience of FIDO2 Passwordless Auth is? Every time I try and learn it's just a sea of acronyms I've never heard of before.
How do I explain FIDO2 Passwordless Auth to my mother?
Most general case consumer explanation is likely this:
No more passwords. Your biometric authentication along with your Apple/Google account on your iPhone/Android phone is all you need.
A more detailed blurb would be:
You sign-up and sign-in to websites/apps simply by responding to a biometric unlock prompt of your phone (same as unlocking your phone with DoubleClick side button + FaceID etc). Your sign-in details are saved to your iCloud / Google account. You can sign-in to the same website/app on another device (iPhone/Mac; or Android/Chrome device) by signing into your cloud account.
For Pro users, there may be more advanced flow:
Instead of using built-in phone authenticators, you may use a reputed third party secure authentication app paired with an external FIDO key (like yubikey) to do the same thing. In it's most secure configuration, it may combine device binding secret unlocked with biometric auth, an physical FIDO key you possess, and a cloud hosted MPC key that is used based on fuzzy signals like your device location and other fingerprint data etc.
All this gives you secure multi-factor authentication that is safe against phishing, theft, loss etc.
When you sign up for an online account, instead of inputting a password, your login is synced via your browser profile, or more likely, an account / app on your phone. To log in, you'll always either need to be signed-in on your browser, or scan a QR code on a computer to sign in to your account (WebAuthn over BLE, or cloud-assisted Bluetooth Low Energy (caBLE)).
Readit News
I switched because I lost all trust in LastPass.
Managing credentials and sensitive information is all about trust. The second I lose trust in that kind of service, I don't just stop using it, I will most likely never even consider coming back as a customer and I will warn people against them. I don't give second chances to services that are trust based.
I'm pretty happy with Bitwarden so far. But if they betray my trust I'll be out of there in a day, never to return. I switched from LastPass to Bitwarden in a day. LastPass never gets a second chance.
What the VCs have to understand is that if their greed makes them push Bitwarden to engage in silly tactics, they risk driving away their customer base.
You might run out of services then at some point.
Human beings are fallible, full stop. Also, a company isn't an individual -- management teams change, corporate priorities change, security practices improve. Judging a whole company by what a few employees did or didn't do a decade ago isn't always going to yield an optimal approach.
Refusing to give any company a second chance ever is pretty extreme. Each individual case needs to be handled on its merits -- what happened, why did it happen, do you think the company learned and implemented new policies, how many other undiscovered vulnerabilities do you think are still there? But also, how many other undiscovered vulnerabilities do you think are still there for competitors as well? Just because a competitor hasn't had a breach doesn't necessarily means it's better, it might just be lucky so far.
Not the OP but i have a similar stance. However a mistake from individual employee doesn't mean that i instantly loose trust. Its the handling of the mistake what matters to me. Sweeping it under the carpet, dening their mistakes or outright lieing about mistakes is what results in me loosing trust.
I prefer using services for my password management (I'm a bitwarden user who's currently happy as well), but I would jump back to some sort of self-hosted or even offline/manual sync solution if I thought that was the only way to keep my passwords safe. I like the convenience of a service, but I would sacrifice it over my security if it got to the point where I had to choose between the two.
This. Every SW creator (OS, framework, app) manages the risk of security vulnerabilities. It's not black and white or simple and easy.
HP and Dell are just marketing companies now.
The hypocrisy is just intolerable at this point.
They don't care as long as they can extract their profit before that happens. This is VC, they will prioritize medium term gains over long term stability.
I don’t know if I can manage another service switch. I can do it just fine, but my wife is more resistant to these kinds of changes and we need to be on the same page on this.
With the base service, Vault, and this, it's a nice overall package.
I checked out Bitwarden and it seemed like a better version of LastPass that just happened to be free. Their paid model doesn't appeal to me so I don't subscribe, but I would enjoy paying if they offered something that did.
(Off-topic: Bitwarden seems like an exact LastPass clone all the way down to the UI. Do they share a similar codebase or something? Like was one forked from an OSS version of the other?)
Looking at Google, Dropbox, and Apple, storage pricings range from 4GB/$ (Apple) to 20GB/$ (Google's 5+TB plans). I'm willing to bet that offering 5GB would make it more worthwhile and a very small fraction of your users would actually use it. What are you going to store? Your passport photo and driver's license? I wonder if there would be a psychological effect here because it is really hard to tell if 1GB is enough or not. At least your average person has no idea.
And that includes setting up Duo for push notification 2FA.
I exported my existing passwords, converted the result to the JSON format using vim or something, and imported it. Job done.
Jumped from a paid LP plan to a Bitwarden family plan with sharing and emergency access and quite happy.
Read the "reception" section.
There were press releases and emails and stuff.
I also switched away from last pass then.
Also - to the people who analyze funding rounds - $100M sounds like a huge amount to me. Why would a password manager need so much money?
The announcement suggests they are looking to also launch their own authentication service and tools for managing application secrets.
I'm cautiously optimistic that this could mean we won't see the end of Bitwarden, as those are areas where companies will pay big money.
[1] https://www.apple.com/newsroom/2022/05/apple-google-and-micr...
The money isn't for the password manager particularly. In the article they list a number of new things they want to develop.
I think there will come a point when most mainstream web services will require "passwordless" authentication, which means users will have to register with one of a few commercial passwordless providers. Think "login to service X with Google/GitHub/Facebook" but more integrated with your phone and biometrics, and no longer optional as email and password authentication go out of fashion.
It makes sense for Bitwarden to aim to be one of those providers, if for no other reason than company survival if passwords and similar tokens become deprecated.
Hasn't really caught on, despite being several years in the making already
Spitballing, $100M, assuming investors want 20% per annum return and Bitwarden do 50% profit ... they need 24M paying customers. Where are they at now?
Every company’s answer to that is also the same “we will target the enterprise”.
They aren’t “doing well” if they still require outside funding.
Also "OSS" version is not really open source, it's just core and all the features you really want from password manager are behind the paid license anyway
A $100M round probably means a valuation around $500-600M. They now need to grow the company to a couple billion so it can either go public (when the IPO market is alive again in a few years) or be sold to a bigger enterprise player.
$10/year customers are completely irrelevant to a company at this stage. Open source is nice as a sales bullet point, but not a central focus.
I hope it won't go this way here but such a cash buyin is usually the start of a difficult time.
> $10/year customers are completely irrelevant to a company at this stage.
Yet it's exactly the plan most customers and supporters would be on. So in other words, we don't matter anymore. This is why we can't have nice things :(
A cynical take on this would be the business is at a large enough volume and growing fast enough to be valued at a certain price (eg 400M), VCs want to own a certain percentage (eg 20%), so the math dictates the round needs to be 100M (100 / (400 + 100) = 20%). Then the founders put together some story that explains why they'd need 100M.
Not saying that's what happened here but I've seen it happen this way.
Edit: An interesting conversation between Basecamp's DHH and 1Password's Teare on their series-a as an opportunity to de-risk the venture: https://archive.is/Kdnpz
The code for the mobile apps is GPLv3 https://github.com/bitwarden/mobile/blob/master/LICENSE.txt
The code for the clients is GPLv3 https://github.com/bitwarden/clients
These are all copyleft... with a CLA (contributor license agreement). It's the CLA that allows them the ability to dual-license for the server.
The VCs must really believe the company can produce a product based on Enterprise sales which would deliver a value North of $1B. And perhaps they can, as Bitwarden as we know it could be considered a strong beachhead to allow them to expand into other auth markets that have high value (hello Okta, Auth0, etc).
But this doesn't seem that scary for Bitwarden users at this point.
YSK they are one and the same. Okta bought Auth0 in 2021[0]
[0]: https://www.okta.com/press-room/press-releases/okta-complete...
And from my perspective as a BitWarden customer, both of those outcomes could be worse for me. Obviously for failure, but many companies in their rush for new pots of money can do things that aren't great for existing customers. And then if those rushes don't work out, things like layoffs, reorgs, and other chaos can diminish customer focus, leading to long-term product decline.
The hypocrisy is just intolerable at this point.
they're probably over-represented given that this is an incubator-adjacent forum but startups are vastly outnumbered by both mature businesses as well as bog-standard privately owned businesses so probably not.
Most firms don't get a hundred million dollars up front, they grow products and revenue just like everyone else, with significantly fewer distortions to users or business models.
We pay them $3600 per year.
Why is everyone so concerned? They’re popular enough in businesses. Their product is great for teams, hence why we pay for it. I’ve found it much better than alternatives. The killer feature for me has been safer account sharing, including 2FA (and I know it makes it somewhat redundant, but it’s safer than turning it off completely)
LastPass tried to grow the B2C business which put more stress on the consumer product.
Is this some weird SV bubble thing I'm seeing?
SV and startups are dominated by JavaScript/TypeScript and Python. It makes the parts of the team a bit more plug-n-play and in some calculus, makes it easier to grow the team as the company grows.
There's also a bit of cultural asymmetry that may make it harder to hire experienced senior C# engineers. C# tends to be heavily used in enterprise so a startup competing for those resources may have a hard time because of that asymmetry with such engineers seeking more stability (both in terms of employment and codebase). Startups are built to go fast and break things which is the cultural opposite of enterprise where you plod carefully, plan, test, document, release, repeat.
There's always some consideration that C# may be a liability at due diligence. I can understand to some extent since it's much easier to hire for JS/TS or Python in SV than it is to hire for C#. Not that it can't be done and C# as a language is close enough to TS that a strong TS backend engineer can easily be trained to C#.
Very encouraging to see the stack getting a big funding round.
.NET/C# is a very underrated backend stack for startups. Stable, mature, secure, supported by one of the tech behemoths.
As a side note, I've been tempted so many times at this point on getting a payed subscription and getting rid of my "keepass+keepassdb sync via Google drive+keepass keyfile local copy on each device" for the sake of making things simpler. I've read how the internals work, checked the auditories, read forums etc. Everything looks great, but I am always paranoid of some security issue arising and my passwords being leaked. I have my entire life pretty much on my password manager and that being exposed would be disatrous at so many levels. Probably just me being irrational.
This works great for my family. Simple set up, and I've done 0 maintenance on it.
I am also looking to self-host Bitwarden.
While I recommend Bitwarden to my not-so-technical friends, I don't think I'm ever going to move away from my Keepass/Nextcloud setup, it just works for me.
Deleted Comment
In corporate market, I would expect more ubiquitous integration of cloud hosted identity providers and separate SSO auth providers (which will do MFA with device bound certs, biometric auth and FIDO2 auth) with all the services and they would all be protected behind BeyondCorp style VPN solutions (think Cloudflare, Tailscale etc). In this market, I wonder how they will continue to grow.
How do I explain FIDO2 Passwordless Auth to my mother?
No more passwords. Your biometric authentication along with your Apple/Google account on your iPhone/Android phone is all you need.
A more detailed blurb would be:
You sign-up and sign-in to websites/apps simply by responding to a biometric unlock prompt of your phone (same as unlocking your phone with DoubleClick side button + FaceID etc). Your sign-in details are saved to your iCloud / Google account. You can sign-in to the same website/app on another device (iPhone/Mac; or Android/Chrome device) by signing into your cloud account.
For Pro users, there may be more advanced flow:
Instead of using built-in phone authenticators, you may use a reputed third party secure authentication app paired with an external FIDO key (like yubikey) to do the same thing. In it's most secure configuration, it may combine device binding secret unlocked with biometric auth, an physical FIDO key you possess, and a cloud hosted MPC key that is used based on fuzzy signals like your device location and other fingerprint data etc. All this gives you secure multi-factor authentication that is safe against phishing, theft, loss etc.