2FA appears in Terminal/CLI -- in a login item

falu · September 20, 2025, 2:11pm

I noticed that on creating a login item in terminal ,that 2 fa codes also will be there without that I implemented it ! How is that ? In terminal I see “topt” ,but I did not typed any secret key anywhere .

grb · September 21, 2025, 3:21am

The login item template that is retrieved using the command bw get template item.login consists of the following data:

{"fido2Credentials":
  [{"credentialId":"keyId",
    "keyType":"keyType",
    "keyAlgorithm":"keyAlgorithm",
    "keyCurve":"keyCurve",
    "keyValue":"keyValue",
    "rpId":"rpId",
    "userHandle":"userHandle",
    "userName":"userName",
    "counter":"counter",
    "rpName":"rpName",
    "userDisplayName":"userDisplayName",
    "discoverable":"false",
    "creationDate":null}],
  "uris":[],
  "username":"jdoe",
  "password":"myp@ssword123",
  "totp":"JBSWY3DPEHPK3PXP"
}

As you can see, the default template includes a dummy TOTP secret (JBSWY3DPEHPK3PXP). Therefore, unless you set the .totp field to null before you create a new login item, the new item will contain this default secret key.

falu · September 22, 2025, 11:47am

I see . In terminal how to get this form ?

bw get template item | jq ".name="My Login Item"

The login item most be over written with something like , protonmail.com ?

grb · September 22, 2025, 2:23pm

I’m not sure that I understand your question.

Maybe this comment will provide some information that can help you:

(however, please note that the script in the linked comment uses a bash shell, not zsh, so some of the required syntax may be different)

falu · September 22, 2025, 3:05pm

{"fido2Credentials":
  [{"credentialId":"keyId",
    "keyType":"keyType",
    "keyAlgorithm":"keyAlgorithm",
    "keyCurve":"keyCurve",
    "keyValue":"keyValue",
    "rpId":"rpId",
    "userHandle":"userHandle",
    "userName":"userName",
    "counter":"counter",
    "rpName":"rpName",
    "userDisplayName":"userDisplayName",
    "discoverable":"false",
    "creationDate":null}],
  "uris":[],
  "username":"jdoe",
  "password":"myp@ssword123",
  "totp":"JBSWY3DPEHPK3PXP"
}

I meant that how you get this script from the shell ?

As ,for example

bw get template folder | jq '.name="My First Folder"' | bw encode | bw create foldertype or paste code here

If now I type % bw get template folder | jq '.name="esiba"' ? Master password: [hidden] { "name": "esiba" }
This is what I mean . bw get template folder gives that json output .

falu · September 22, 2025, 3:09pm

But this is somewhat an extensive learning ,and maybe this subject does not belong here ,it is to elaborate .It is interesting how the different templates gives all these json scripts.

I may mean - how to get all those different json scripts from the templates .

grb · September 22, 2025, 3:28pm

I already showed it in the original comment:

bw get template item.login

falu · September 22, 2025, 5:19pm

% bw get template item.login
? Master password: [hidden]
{"uris":[],"username":"jdoe","password":"myp@ssword123","totp":"JBSWY3DPEHPK3PXP","fido2Credentials":[]}

Yes ,it was that the visual made me a little doubtful ,but I see it now clearly .

In bw --help maybe there is a full record of all these commands ? I mean for folder ,( Folder and Login I already know ) ,I will look at the bw --help command .

grb · September 22, 2025, 6:24pm

You can look at the output of bw get --help for information about how to use the command bw get, but the use of the template argument does not appear to be well documented.

However, the source code reveals that there are 13 valid options for the bw get template command:

bw get template item
bw get template item.field
bw get template item.login
bw get template item.login.uri
bw get template item.card
bw get template item.identity
bw get template item.securenote
bw get template folder
bw get template collection
bw get template item-collections
bw get template org-collection
bw get template send.file
bw get template send.text

To make the formatting of the JSON structure easier to read, you can use the bw command option --pretty. For example:

% bw get template item.login --pretty

{
  "fido2Credentials": [
    {
      "credentialId": "keyId",
      "keyType": "keyType",
      "keyAlgorithm": "keyAlgorithm",
      "keyCurve": "keyCurve",
      "keyValue": "keyValue",
      "rpId": "rpId",
      "userHandle": "userHandle",
      "userName": "userName",
      "counter": "counter",
      "rpName": "rpName",
      "userDisplayName": "userDisplayName",
      "discoverable": "false",
      "creationDate": null
    }
  ],
  "uris": [],
  "username": "jdoe",
  "password": "myp@ssword123",
  "totp": "JBSWY3DPEHPK3PXP"
}

falu · September 23, 2025, 10:09am

% bw get template item.login 
? Master password: [hidden]
{"uris":[],"username":"jdoe","password":"myp@ssword123","totp":"JBSWY3DPEHPK3PXP","fido2Credentials":[]}
type or paste code here

But from here I need to put in that bw encode and bw create ,I could not do that ,or after creating a template how can I go further ?

grb · September 23, 2025, 1:34pm

What exactly are you trying to accomplish?

Did you read the thread that I had linked previously? Did you try anything based on the information in that thread?

falu · September 23, 2025, 8:52pm

maskros@iMac-som-tillhor-Maskros-2 ~ % bw login
You are already logged in as xxxxxxxxxxxxxxxxxxxx.com.
maskros@iMac-som-tillhor-Maskros-2 ~ % bw get template item.login 
? Master password: [hidden]
{"uris":[],"username":"jdoe","password":"myp@ssword123","totp":"JBSWY3DPEHPK3PXP","fido2Credentials":[]}
maskros@iMac-som-tillhor-Maskros-2 ~ % bw get template item.login {"uris":[],"xxxxxxxxxxxxxxx.com":"xxxx","password":"xxxxxx","totp":"JBSWY3DPEHPK3PXP","fido2Credentials":[]}|bw encode |bw create
 
zsh: no matches found: uris:[]
error: missing required argument 'object'
maskros@iMac-som-tillhor-Maskros-2 ~ % 
type or paste code here

After creating that template for login I could not fill out that form as the promt appeared immediately ,but I could create a login item ,as you saw that ,that 2fa code appeared earlier .I do not know how to use the command bw get template item.login ,or I know but in the next step as you see here zs: no matches found.

grb · September 23, 2025, 10:05pm

You are using this command incorrectly. There can be no additional arguments (other than options such as --pretty, --session, etc.) after the expression bw get template item.login.

This is why you are getting a “no matches found” error caused by the misplaced string {"uris":[],"xxxxxxxxxxxxxxx.com":"xxxx","password":"xxxxxx","totp":"JBSWY3DPEHPK3PXP","fido2Credentials":[]} (which you have erroneously inserted after the command bw get template item.login).

Further errors are produced because the input being piped to the bw encode and bw create commands are not valid.

I still don’t understand what ultimate goal you are trying to accomplish. In addition, I don’t know why you insist on using the CLI (which you seem to be struggling with) instead of one of the more user-friendly Bitwarden apps that have a graphical user interface (e.g., the Desktop app, the Web app, the mobile app, or the browser extensions).

falu · September 23, 2025, 11:44pm

This is only for a study ,then some of my companions has no time with this and they may need to use the CLI . So some appointed me to research this scenario ,in case we may need it.

An example of this is .dmg files . So we could not change the password to so 10000 or more dmg files ,but I changed it from the CLI . So how we will use the bw cli ,this we have no idea of .But as often ,a company whom stops developing ,that means death. Now today we gained a developer so we will study with this man. Simply we do not know ,how or when or why we may use the bw cli. It is a proposal of some of my associates - that we should know at last something about it. The app may suddenly fails on the desktop , ,or any reason may be there - we simply study the cli and nothing else.Also ,we changed computers ,and on these older computers we do not mind if it crashes or anything happens - so we are using the CLI for so many other things ,such as AGE ,OPENSSL and AEScrypt . This is only for study - so here we can end this post .Thanks grb.

grb · September 24, 2025, 1:24am

That’s fine, if you are trying to learn how to use the CLI, it’s not a problem to ask questions here.

However, to help you achieve some goal (whether for learning purposes or something else), I need to understand what your goal is.

You seem to be attempting to achieve some kind of result in this comment (“how can I go further?”) and in this comment (“I could not fill out that form”), but if this is the case, you have not clearly explained the overall problem that you are trying to solve.

Perhaps I have misunderstood your comments, and you actually have no specific goal in mind at this time.

falu · September 24, 2025, 10:33am

bw get template item .login

grb · September 24, 2025, 2:41pm

That expression will not work — it will only execute bw get template item, and ignore the invalid keyword .login.

I have listed the valid options for the bw get template command in a comment above. If you look at the list carefully, you will see that in all of the 13 valid options, there is no space character inserted after the word item. Therefore,

bw get template item .login

is not a valid command.

Presumably, you meant

bw get template item.login

(which is a valid command).

system · October 24, 2025, 2:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.