from Hacker News

Bitwarden Authenticator

by pil0u on 2/23/25, 9:11 PM with 158 comments

by ripped_britches on 2/24/25, 12:17 AM
I have used Bitwarden for a few years happily, but have been really annoyed at the UI changes in the chrome extension
Not only does it unnecessarily jar me out of my memorized places to click, but it also just takes 2 clicks to copy a password instead of 1. Seems like a small deal but it is genuinely a bad UI.
by bramhaag on 2/24/25, 12:52 AM
I have been using Aegis [1], a FOSS (GPLv3) TOTP authenticator app, for the past years.
It supports:
- Local encrypted backups. You can sync these to where ever you like on your own terms. I automated uploading mine to my local NextCloud instance.
- Importing from other authenticator apps, so you can easily migrate.
- Exporting entries so that you are not vendor locked (cough cough Authy).
- Customization.
- No mandatory cloud bs, LLM integration, tracking, ...
[1] https://github.com/beemdevelopment/Aegis
by layer8 on 2/23/25, 10:16 PM
It doesn’t support syncing between devices.
An alternative is Ente Auth: https://news.ycombinator.com/item?id=40883839
Edit: Since there seems to be some confusion, this submission is about Bitwarden Authenticator, a free mobile app for TOTP, not about the Bitwarden password manager, which does support syncing, and which in the paid Premium plan also includes an authenticator.
by sepositus on 2/23/25, 9:52 PM
> In this initial release, your data will be backed up through the mobile operating system's backup services. Please make sure your device is turned on and configured for backups. Bitwarden Authenticator data is included in the OS backups and will be restored with them.
At least it's not defaulting to their own cloud service backend. This has always been my problem with these types of apps. Although, I'm not sure I fully understand the above description. I'm guessing if you have an iPhone with iCloud backup enabled, it means data is backed up to iCloud.
by mdevere on 2/23/25, 10:34 PM
Big fan of Bitwarden, albeit you are putting a single point of failure on all of your secure info.
I'd love to know what others do to maximise both convenience and security.
For two-factor authentication, I wouldn't use the same service for both layers. Seems daft to use Bitwarden as both the password keeper and the TOTP provider. Not sure if that's a cryptographically coherent view, but hey.
by denkmoon on 2/23/25, 11:59 PM
Doesn't appear to have any way of exporting 2FA tokens?
I _very narrowly_ dodged being locked in to authy by having tokens in there that couldn't be exported, and authy is a steaming pile of... Never again will I be foolish enough to not maintain ownership of the actual 2fa tokens my codes are generated from.
by stavros on 2/23/25, 10:11 PM
I'm confused, doesn't BitWarden already include this functionality? I've been using it for years, have they split it out into a separate app?
I tend to use Aegis for the two services' TOTP codes that I don't put into BitWarden.
by makeitdouble on 2/23/25, 10:08 PM
Is it standard for Bitwarden to have absolutely no mention of a any plan to also build a PC app ?
I can't find any.
by kyriakos on 2/24/25, 3:50 AM
At some point Microsoft authenticator decided that 2fa from a smartwatch shouldn't work (that happened when they introduced the 2 digit number verification which could still work fine on a watch). I have yet to find a replacement for that feature. If anyone figure it out please let me know!
by marcosscriven on 2/23/25, 10:24 PM
How does this compare to Authy? I use Bitwarden and have been very frustrated with their UI changes.
by jz10 on 2/24/25, 12:52 AM
I just literally spent a week transferring all my authy keys to Bitwarden's somewhat hidden OTP generator feature. nice to see they finally made a standalone app. Now I'm gonna find out if both are integrated..... (I really hope so)
by ViVr on 2/23/25, 10:39 PM
I'd like to see them add support for including attachments in your Bitwarden exports before i go putting any more critical data into their ecosytem.
It has been a feature request for close to 6 years now: https://community.bitwarden.com/t/allow-attachments-to-be-ex...
by itsthecourier on 2/24/25, 1:39 AM
I was a LastPass client then they got hacked and I moved to bitwarden. feel better with their app integration and it feels good.
yet I wouldn't use their 2fa app, just because if they get hacked at some point I don't want passwords and 2FA stored with the same company
doing great with authy in that front
by blackeyeblitzar on 2/24/25, 7:40 AM
Does this have lock in like Authy, where it’s not possible to export the codes? Does it not work on desktop since the page says iOS and Android? And isn’t it a bad idea to use both the password manager and Authenticator from the same company?
by hedora on 2/24/25, 1:02 AM
The “An Error Occurred” database corruptions last year convinced me I can’t trust bitwarden any more.
Any suggestions for something I can host at home? It needs mac, linux and ios clients and (unlike bitwarden) must gracefully handle the server being unavailable.
by yumraj on 2/24/25, 12:03 AM
I had exported my tokens out of Authy when they had killed the desktop version, and imported into KeypassXC.
I find keypassxc which I use for managing passwords and now TOTP to be the best option for me.
I still use Authy on mobile but having an offline backup is great.
by sneak on 2/24/25, 4:02 AM
TOTP is bad. TOTP is phishable. Stop using or promoting TOTP.
We have modern authentication called WebAuthn, supported by Bitwarden proper as well as physical security keys and iOS’s native password manager. Use it.
by jackhalford on 2/23/25, 10:41 PM
Funny this pops up today, I’ve finished migrating form KeepassXC to a self hosted vaultwarden, the official bitwarden apps and briwser extension are super well made, so good so far with the switch.
by RandyOrion on 2/24/25, 3:57 PM
Bitwarden app itself already integrates two-factor authentication code support.
I use the app on both PC (chromium extension) and phone, and I'm happy about it.
by cantrecallmypwd on 2/24/25, 5:09 AM
I prefer Authy for most TOTPs, although regular Bitwarden supports Steam and Blizzard codes too and some TOTPs formats that it refuses to import.
by haswell on 2/23/25, 11:30 PM
I’ve been using the “OTP Auth” app by Roland Moers since hearing about it on Steve Gibson’s Security Now podcast.
Extremely happy with it.
by NewJazz on 2/23/25, 10:00 PM
How would this work on a degoogled android? I just use freeotp+ and have backup codes in case I lose the device.
by Paul-Craft on 2/23/25, 11:00 PM
Okay. So? HOTP and TOPT are so trivial to implement, you can even use a C64[0] as your 2FA device. Here's my anti-FAQ[1] to their FAQ:
---
### TOPT ANTI-FAQ
1. Want a guide to implementing time-based passwords in your app? Here you go: https://www.freecodecamp.org/news/how-time-based-one-time-pa...
2. What was that? You want to do it in Typescript? Okay, here you go: https://www.npmjs.com/search?q=totp
3. Want to do it in Python? Unfortunately, you only have 275 choices: https://pypi.org/search/?q=totp&o=-created
4. How about on an Arduino? https://github.com/lucadentella/TOTP-Arduino
5. Fuck it, we'll do it ~~live~~ in Emacs!https://www.masteringemacs.org/article/securely-generating-t...
Y'all get the point by now, I'm sure.
---
[0]: https://www.gadgetany.com/news/now-the-commodore-64-is-a-two...
[1]: "Anti"-FAQ, because I'd like to discourage people from wasting brain cycles on thinking that a time-based authenticator app is something worth announcing.
by beebaween on 2/24/25, 2:09 AM
Do I still have to pay extra to use a yubikey?
by Lord_Zero on 2/24/25, 3:06 AM
Are we all off the 2FAs train now?
by samstave on 2/23/25, 10:22 PM
no.
Zero trust, and that it slides auth horizontally to other untrusted flows...
Like literally walk an LLM through my data path?
by bootcat on 2/24/25, 12:53 AM
why can't this be in the same app,
by egamirorrim on 2/24/25, 7:13 AM
Yet another authenticator that I can't run on desktop
by yoyohello13 on 2/23/25, 10:24 PM
So I’ve been a happy Bitwarden subscriber since about 2020. I originally picked it because it seemed like a good compromise between open source options like keepassxc and something less trustworthy like one password.
I haven’t really be paying much attention to Bitwarden lately, but I’ve heard they’ve taken vc/got bought out or something. So for those more in the know, is it time to start migrating? Or does Bitwarden still seem like it’s on a good path?