I have used Bitwarden for a few years happily, but have been really annoyed at the UI changes in the chrome extension
Not only does it unnecessarily jar me out of my memorized places to click, but it also just takes 2 clicks to copy a password instead of 1. Seems like a small deal but it is genuinely a bad UI.
If you go to Settings -> Appearance and enable show quick actions, you can reenable the 1 click copy password again. Enabling compact mode and disabling animations also helps a lot.
Yes, but then you have to click the little "Fill" button. And if you enable "Click items to enable autofill on Vault view", you have to Rightclick -> View to edit stuff.
Yes. This. They change the look adding more clicks and moving things around offering NEGATIVE value. At least they fixed biometric desktop auth but without telling you that you had to remove the extension and clean up some stuff to get it to work.
I just noticed on my Edge browser, I have two different profiles (work and personal). on 1 profile, I have a one-click interface (fill, copy UN, copy Pwd, copy 2fa code. On the other profile, I have two click interface as you described.
So do this: go to setting (lower right coner) -> appearance -> set width to extra wide, check compact mode, check show quick actions.
I would just love if it appeared more than 60% of the time it's supposed to on Android.
I'm sick of the dance of switching apps a few times to try to 'wake up' Bitwarden when I'm staring at a login page in my browser with no Bitwarden prompt anywhere, closing and reopening the browser, manually opening Bitwarden, switching apps a few times, then giving up and manually copying and pasting my password.
I had this same issue for years on Android with Bitwarden. I’m not sure how the password manager related APIs work to make it appear on android, but since switching to iOS, it always presents me with a generic “passwords” option, which then gets me to Bitwarden. Sometimes it’ll flag the specific account, but not always - this seems to be like the android quirk. I’d much prefer if android has that generic “password” option at all times, even when it didn’t know Bitwarden had an account for this service.
I too am very annoyed by this, and it has been happening for as long as I can remember. KeePassDX [1] works around this by providing a custom keyboard you can use to fill in your passwords anywhere.
Yup the UI and "click amounts" is terrible, a step down from both native Chrome or Firefox password managers.
If you have a domain.tld and are on sub.domain.tld it also shows ALL the credentials on EVERY subdomain and the tld, and you have to crawls through them all.
The only good thing is that I was finally able to switch away from Chrome on mobile, but for a high bad usability price.
You can disable that but changing the domain matching algorithm (or whatever it's called, it's not difficult to find). By default it matches to domain.tld, but you can request the exact match.
Aegis is Android-only though. A cross-platform (Android/iOS/Linux/Mac/Windows), open-source (AGPLv3), self-hostable (Docker image) alternative (with migrations, E2EE backups/syncing, and JSON export as well) is Ente Auth: https://news.ycombinator.com/item?id=40883839
Edit: Since there seems to be some confusion, this submission is about Bitwarden Authenticator, a free mobile app for TOTP, not about the Bitwarden password manager, which does support syncing, and which in the paid Premium plan also includes an authenticator.
I've been using Authy for TOTP in conjunction with Bitwarden Premium for passwords.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
Just beware of the lock-in with Authy because they make it impossible to export your TOTP secrets for "security" reasons. There was a method to do it by running some code but they patched up those API endpoints recently.
I have a second yubikey which I keep in a safe and every time I set up the primary yubikey on an account I also make sure to enroll the backup one too. I'm not likely to have mine stolen so I don't keep the spare offsite, it's more insurance in case I lose it. I also have an airtag attached to the primary key for the same reason.
I got two Yubikeys but ended up never using them. I've also considered keeping the second one in a safety deposit box, but realized that that would defeat the purpose since you also need a key to access the safety deposit box.
Please use 1Password, it syncs between everywhere you want and supports TOTP. When I log into LinkedIn, it only takes one click and it autofills and autosubmits everything, including TOTP.
I use this, it works great for when you're on a laptop and can't be bothered to pull out your phone to enter the 2FA code (because it works cross-platform on web, desktop, and mobile, all syncing together). Yes, technically this is a corruption of the principles of why you'd need 2FA in the first place, as the second factor is obviated when everything is on one device, but I find the risk acceptable, no one is going to hack into my laptop at home, and if they do, I have bigger things to worry about than 2FA.
I'm not sure that syncing is a feature that should exist. Once an OTP shared secret has been added to a device, it should be unretrievable, ideally stored in a security enclave.
If you can just clone an OTP to as many devices as you want then I'd argue it's not really two-factor. The mechanism used to sync is the same one a malicious actor would use to clone all your OTP entries and gain access to your accounts.
That’s fair. Can I have it backup sync to iCloud so I’d lose my phone I can get a new one? I think that’s a usability vs. security risk we’re gonna have to be okay with. People aren’t going to be able to have multiple devices.
They would also need the password, not just OTP to gain access because it's really a two-factor, but also the risk of permanent loss if you lose a device is too extreme, so would still need some alternative restore mechanism, at which point an encrypted sync is a much better alternative
That's nice in theory, but leaves you with significant risk of getting completely locked out of your account should you lose the device containing the OTP secret.
> In this initial release, your data will be backed up through the mobile operating system's backup services. Please make sure your device is turned on and configured for backups. Bitwarden Authenticator data is included in the OS backups and will be restored with them.
At least it's not defaulting to their own cloud service backend. This has always been my problem with these types of apps. Although, I'm not sure I fully understand the above description. I'm guessing if you have an iPhone with iCloud backup enabled, it means data is backed up to iCloud.
On my Android, what's the upside of using this instead of Google Authenticator if they both back up to the same place?
If they used their own cloud backend I would be a lot more interested. They could even offer to store it in their cloud end-to-end encrypted (making it my responsibility to keep the password safe). That would give me similar exposure as their password manager, which I'm already using.
Kinda worrying that it doesn't mention anything about how that is secured.
Google Authenticator had the fun idea to opt people into unencrypted (beyond whatever regular google drive files have) cloud backup of 2fa secrets, and it's been exploited in the ways you'd expect.
Big fan of Bitwarden, albeit you are putting a single point of failure on all of your secure info.
I'd love to know what others do to maximise both convenience and security.
For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.
> albeit you are putting a single point of failure on all of your secure info.
Depends on what failure mode you're talking about.
If you mean "I won't be able to access things when their service is down", that's not entirely accurate, because the database is synced to clients, so you just can't connect a new client or add/update entries, but existing entries are accessible.
If you mean "everything will be compromised if their service is hacked", that's not quite accurate either, because the encryption key to the database isn't stored on their servers (things are only ever decrypted on the client).
If you mean "any compromise is all/nothing", this is kindof true, but can be mitigated by keeping separate vaults, so that your most sensitive items are not kept with the ones you need routinely.
Or maybe you're thinking of some other failure mode ...
Perhaps it's just an aversion to having all your eggs in one basket. I am experiencing that with Proton, atm, after having spent a year De-Googling my life and moving my mail, drive, calendar and VPN to their drop-in replacement for the same Google products. Lo and behold, the CEO has to go and share views I not only disagree with but also find dangerously aligned with people that are very much enemies of privacy and protection of PII.
The problem with buying into one entity for a bunch of these services is they eventually find a way to sour their mission or worse, bend the knee to those that seek to exploit us, leaving you with the increasingly arduous task of migrating to another competitive service.
In terms of a compromise being “all or nothing,” most secure accounts should have a password (which you can manage in BitWarden) AND a second factor (ideally not tied to your phone; ex: a YubiKey). That way even in the nightmare scenario that someone gets into your password manager there’s extra legwork they’d need to do to ruin you.
>"I won't be able to access things when their service is down", that's not entirely accurate
That is entirely accurate. During their outage a few weeks ago (the first I've experienced in years of using it TBF), I wasn't able to get passwords from my browser extension, Android app, or Mac app. Maybe in theory it's not supposed to work that way, but in practice it got stuck when it couldn't reach the server and went back to the "Enter master password" page (IIRC).
But if somebody compromised their internal infrastructure they could push out malicious updates to both the Authenticator and the clients of the password manager (most likely the browser extension), compromising both security factors at once
Doesn't appear to have any way of exporting 2FA tokens?
I _very narrowly_ dodged being locked in to authy by having tokens in there that couldn't be exported, and authy is a steaming pile of... Never again will I be foolish enough to not maintain ownership of the actual 2fa tokens my codes are generated from.
I personally switched to using 2FAS[0]. My favorite feature is that it comes with a browser extension that can automatically fill in the OTP on web forms, after approving the request on the phone app.
Not OP, but I escaped Authy over a year ago and I've been happy with 2FAS on Android. Aegis is also very good. 2FAS has backup to Google Drive. Aegis does Android Cloud Backup. Aegis is available on FDroid. IIRC I chose 2FAS for purely aesthetic reasons, but I could've easily gone with Aegis and been happy too.
Speaking of escaping Authy, good luck with that. I had to use their desktop app and api to pull my data. I read in another comment that they've recently closed that api. So, you might be stuck migrating each account manually. That bullshit alone is worth the trouble of moving.
The built-in TOTP in Bitwarden password manager is only available to premium Bitwarden subscribers, requires you to have a Bitwarden account, and stores your TOTP codes in Bitwarden's servers.
This standalone app is available for free, can be used without an account, and the TOTP codes are only stored locally (or through your phone's native backup system).
Some people dislike the idea of storing TOTP codes in the same location as passwords, so it seems this helps provide those people with that separation, while still using Bitwarden products (which tbh is cool with me - a lot of the other TOTP apps on the appstores suck).
> The built-in TOTP in Bitwarden password manager is only available to premium Bitwarden subscribers, requires you to have a Bitwarden account, and stores your TOTP codes in Bitwarden's servers.
if you selfhost (eg with vaultwarden) you get all the pay features for free
Having TOTP tokens stored alongside passwords kind of defeats the purpose of two-factor-authentication. I think this alone justifies development of a separate app, but there must be other reasons as well.
Deffo a tradeoff. But then my bitwarden account is secured with a long phasephrase, and MFA (with offline recovery codes), with the TOTP in Google Authenticator.
Its a tradeoff, but on balance, i am happy to keep my TOTP for accounts secured by bitwarden inside bitwarden.
Bitwarden does come with an app for every major operating system. Or do you mean this authenticator app? It kind of goes against the idea to have this anywhere but your phone.
Does it? I thought the whole point was to require something that's not stored right next to the password in the database, making it more resilient to leaks/hacks/incorrect hashing and salting, etc. I don't think there's a single site where I have the option to "remember this device" to avoid needing to put in a 2FA code on every login where I haven't enabled it on my personal devices, and on a lot of them, I'm not even sure the cookies have ever expired. This seems like a case of https://xkcd.com/1200/, although I'll throw in my favorite personal example because of how absurd I find it: on the Domino's pizza Android app, it allows me to open it after months without using it and order food charged to my credit card without needing to reenter my password, but if I want to save something new as my "Easy Order" to avoid having to manually put everything into the cart and then hit "checkout", I have to put my password in again for that!
I've been lazily (in the "lazy evaluation" sense, not the work ethic sense) moving my 2FA from a mobile app into Bitwarden precisely because it's way more annoying to have to take my phone out and manually enter a code from there v when logging into things (especially since lately I've noticed that I seem to get errors when the code still has a few seconds left in the UI as being valid after I've already gotten the response from the server not accepting it; I asumed that this might be due to some issue with my phone itself, but the fact that it still happens with the codes being stored in Bitwarden and visible on the same screen where I'm logging into makes me wonder if this is some new intentional thing sites are doing intentionally without regard to how weird an experience this will be for some people).
The main app's integrated TOTP functionality is nice for low impact services (e.g. I don't give a damn if my third Nintendo account gets overtaken). But there are more critical stuff I want an actual separate system, and this authenticator app would allow that. In particular it's free so creating a separate account would be fine.
The common sense of TOTP = your phone is to me problematic, and I feel it led to the situation we're in with Apple and Google...I have 3 computers I can use at any time, and will yell at the clouds every time I have to get my phone for some random stuff that can only happen in a mobile app.
Same way people are vehemently raging against kids having smartphones and ask for more kids protection online, while most 2FA services will default to a phone auth (TOTP or SMS, or dedicated app). And more than anything, I wish people could lose/crush/obliviate phones with less impact on their life if they want to, it doesn't need to be the key to one's digital life.
Readit News
Not only does it unnecessarily jar me out of my memorized places to click, but it also just takes 2 clicks to copy a password instead of 1. Seems like a small deal but it is genuinely a bad UI.
Before it was two clicks to edit. Plus it would lose context if the popup was closed.
So do this: go to setting (lower right coner) -> appearance -> set width to extra wide, check compact mode, check show quick actions.
that should do it.
Deleted Comment
I'm sick of the dance of switching apps a few times to try to 'wake up' Bitwarden when I'm staring at a login page in my browser with no Bitwarden prompt anywhere, closing and reopening the browser, manually opening Bitwarden, switching apps a few times, then giving up and manually copying and pasting my password.
[1] https://github.com/Kunzisoft/KeePassDX
The only good thing is that I was finally able to switch away from Chrome on mobile, but for a high bad usability price.
It supports:
- Local encrypted backups. You can sync these to where ever you like on your own terms. I automated uploading mine to my local NextCloud instance.
- Importing from other authenticator apps, so you can easily migrate.
- Exporting entries so that you are not vendor locked (cough cough Authy).
- Customization.
- No mandatory cloud bs, LLM integration, tracking, ...
[1] https://github.com/beemdevelopment/Aegis
An alternative is Ente Auth: https://news.ycombinator.com/item?id=40883839
Edit: Since there seems to be some confusion, this submission is about Bitwarden Authenticator, a free mobile app for TOTP, not about the Bitwarden password manager, which does support syncing, and which in the paid Premium plan also includes an authenticator.
I considered using Bitwarden Premium for TOTP, but dislike having passwords and TOTP codes in a single-point-of-failure backup location.
I looked into Bitwarden Authenticator, but it didn't seem to support sync between devices, as you've now corroborated. This is the reason I gave up on Google Authenticator and switched to Authy — I don't want to have to deal with trying to get all my accounts unlocked if my phone gets lost, broken, or stolen.
I've set up Authy with a backup password so that I can recover it if necessary. I understand that this is less secure, and Twilio (the company behind Authy) seems to have a mixed reputation. However my reasoning is that maintaining two layers which are separate (Authy on phone and tablet, Bitwarden on laptop) is consistent with defense-in-depth theory — even if the layers have some weaknesses.
Maybe it's time to switch to Yubikey, because TOTP apps that don't sync between devices are too high of a risk for losing access, and TOTP apps that sync aren't quite "something you have". How do people prepare for the potential loss of Yubikeys? Is it reasonable to get a spare[1] and keep it in a safety deposit box?
[1] https://www.yubico.com/products/spare/
0: https://bitwarden.com/products/authenticator/#:~:text=New%20... - "New features on the roadmap include import, syncing to Bitwarden accounts, push-based 2FA, and account recovery"
1: https://bitwarden.com/pricing/#:~:text=Integrated%20Authenti...
I understand what you’re saying here, but then having a password manager and a 2FA app on the same phone is the exact same corruption.
If your threat model involves “don’t have your 2FA codes on your desktop”, it must also include “don’t have your passwords on your phone”.
If you can just clone an OTP to as many devices as you want then I'd argue it's not really two-factor. The mechanism used to sync is the same one a malicious actor would use to clone all your OTP entries and gain access to your accounts.
Deleted Comment
Dead Comment
At least it's not defaulting to their own cloud service backend. This has always been my problem with these types of apps. Although, I'm not sure I fully understand the above description. I'm guessing if you have an iPhone with iCloud backup enabled, it means data is backed up to iCloud.
When syncing is added it would actually be something to consider.
In that case, what would be the advantage over just using Bitwarden's native TOTP support?
If they used their own cloud backend I would be a lot more interested. They could even offer to store it in their cloud end-to-end encrypted (making it my responsibility to keep the password safe). That would give me similar exposure as their password manager, which I'm already using.
Google Authenticator had the fun idea to opt people into unencrypted (beyond whatever regular google drive files have) cloud backup of 2fa secrets, and it's been exploited in the ways you'd expect.
The regular complaints here about iMessage not having good E2EE is a specific exception written into the security policy.
Corrections welcome.
[1]: https://support.apple.com/guide/security/security-of-icloud-...
I think this is the better link. Advanced Data Protection is end to end encrypted, without the key being backed up to Apple’s servers.
I'd love to know what others do to maximise both convenience and security.
For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.
Depends on what failure mode you're talking about.
If you mean "I won't be able to access things when their service is down", that's not entirely accurate, because the database is synced to clients, so you just can't connect a new client or add/update entries, but existing entries are accessible.
If you mean "everything will be compromised if their service is hacked", that's not quite accurate either, because the encryption key to the database isn't stored on their servers (things are only ever decrypted on the client).
If you mean "any compromise is all/nothing", this is kindof true, but can be mitigated by keeping separate vaults, so that your most sensitive items are not kept with the ones you need routinely.
Or maybe you're thinking of some other failure mode ...
The problem with buying into one entity for a bunch of these services is they eventually find a way to sour their mission or worse, bend the knee to those that seek to exploit us, leaving you with the increasingly arduous task of migrating to another competitive service.
That is entirely accurate. During their outage a few weeks ago (the first I've experienced in years of using it TBF), I wasn't able to get passwords from my browser extension, Android app, or Mac app. Maybe in theory it's not supposed to work that way, but in practice it got stuck when it couldn't reach the server and went back to the "Enter master password" page (IIRC).
I _very narrowly_ dodged being locked in to authy by having tokens in there that couldn't be exported, and authy is a steaming pile of... Never again will I be foolish enough to not maintain ownership of the actual 2fa tokens my codes are generated from.
[0] https://2fas.com/
There was a cli tool to export authy codes, but there was a comment here that the APIs it used no longer works
Speaking of escaping Authy, good luck with that. I had to use their desktop app and api to pull my data. I read in another comment that they've recently closed that api. So, you might be stuck migrating each account manually. That bullshit alone is worth the trouble of moving.
I tend to use Aegis for the two services' TOTP codes that I don't put into BitWarden.
This standalone app is available for free, can be used without an account, and the TOTP codes are only stored locally (or through your phone's native backup system).
Some people dislike the idea of storing TOTP codes in the same location as passwords, so it seems this helps provide those people with that separation, while still using Bitwarden products (which tbh is cool with me - a lot of the other TOTP apps on the appstores suck).
And many organizations/companies have policy against that although I don't know how can anyone enforce that.
if you selfhost (eg with vaultwarden) you get all the pay features for free
Deleted Comment
I can't find any.
I've been lazily (in the "lazy evaluation" sense, not the work ethic sense) moving my 2FA from a mobile app into Bitwarden precisely because it's way more annoying to have to take my phone out and manually enter a code from there v when logging into things (especially since lately I've noticed that I seem to get errors when the code still has a few seconds left in the UI as being valid after I've already gotten the response from the server not accepting it; I asumed that this might be due to some issue with my phone itself, but the fact that it still happens with the codes being stored in Bitwarden and visible on the same screen where I'm logging into makes me wonder if this is some new intentional thing sites are doing intentionally without regard to how weird an experience this will be for some people).
The main app's integrated TOTP functionality is nice for low impact services (e.g. I don't give a damn if my third Nintendo account gets overtaken). But there are more critical stuff I want an actual separate system, and this authenticator app would allow that. In particular it's free so creating a separate account would be fine.
The common sense of TOTP = your phone is to me problematic, and I feel it led to the situation we're in with Apple and Google...I have 3 computers I can use at any time, and will yell at the clouds every time I have to get my phone for some random stuff that can only happen in a mobile app.
Same way people are vehemently raging against kids having smartphones and ask for more kids protection online, while most 2FA services will default to a phone auth (TOTP or SMS, or dedicated app). And more than anything, I wish people could lose/crush/obliviate phones with less impact on their life if they want to, it doesn't need to be the key to one's digital life.