Authy vs Microsoft Authenticator to secure Bitwarden?

I currently use Microsoft Authenticator app, but I am considering moving to Authy, I noticed the later requires a password to backup the TOTP codes in clouds similar to BW master password which only I know which sounds like a security plus, while MS Auth backup and sync using my MS account login and password, however Authy does require phone number , which is often disregarded as unsafe because of SIM Swap techniques, which option do you use/think it`s better?

Also in case Authy is chosen: I wondering if it`s safe and advisable to generate and save the backup password in BW or should I create and remember it myself for security?

1 Like

Yeah I used Authy in the past but moved away because of the phone number requirement. If you don’t want/need any multi device component then you can simply use Google Authenticator or LastPass’ Authenticator and with a LastPass account it allows you to back it up as well. If you want multi-device support you could pay for Dashlane which can store your Bitwarden TOTP and all others you can keep storing them in Bitwarden as long as you have a paid account.

On your first point, I don’t like it but it is not a deal breaker.

On your second point, you either trust Bitwarden or you don’t. If you do, so you trust it with storing your passwords, then what is the reason not to trust it with generating them? If you don’t trust it with generating them, for some reason, then a search engine will reveal any number of password generators, some of which may appeal to you. There are also many password strength testers, which can be found the same way.

They essentially do the same thing but I personally prefer Authy.

No issues with having the Authy backup password in Bitwarden - that’s exactly what Bitwarden is for! :smiley:

@Davidz I mean generating and storing Authy password not every password there`s nothing o do with rusting or no.

@danmullen since I need the authy password to recover my account and authy itself is needed to enter BW I think it could create a deadlock in my vault so I decided it would be better to create one myself I can remember instead of generating one.

@MONKiPASS which 2FA do you use? I initially chosen MS because of cloud backup, I was worried i could lose my phone and get locked out of my account with Googles, I have no interest in paying for 2FA so authy souded great Bar the Phone number issue, but many reviewers do recommend it as the best option including bitwardens team

2 Likes

@FOSS_Lover:
If you are using Android be warned that the combination of Microsoft Teams and Microsoft Authenticator on the same phone is a “no go”:
https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_teams-mso_o365b/teams-app-not-working-on-android-devices/5ba0e87d-d89e-4a2b-9f50-5f857bfe923d

Two separate aspects:

(1) Authy:
Why does Bitwarden and 1Password recommend Authy? Probably because it’s not bad in terms of security and because it is forgiving in terms of cloud backup and recovery options. As far as I know they are not in any form competing in the password manager space. But a 2FA that advertises the ability to be logged in via a browser extension, desktop app, and mobile apps adds a lot of unnecessary attack vectors and thanks to human nature users might login via all of them for convenience. In general I do not like security features that tie themselves to a phone number.

(2) I’d simply use a second password manager that can store TOTPs. Dashlane’s free option works great for that and the fact that it can only be used on 1 device might be a security feature in this case :wink: You could also use LastPass’ Authenticator app and have it backed up via a linked free LastPass account. Another route can be to use a Yubikey or have a backup phone running the same TOTP with Google authenticator. I use a second password manager and a backup Yubikey as my own solution.

If you are using Android be warned that the combination of Microsoft Teams and Microsoft Authenticator on the same phone is a “no go”:
Teams App Not working on Android Devices - Microsoft Community

@Peter_H Can you please elaborate a bit on why you say Microsoft Teams and Microsoft Authenticator on the same phone is a “no go”? I read through the thread that you linked to and, while there are some posts from users who say uninstalling Microsoft Authenticator fixed their problem signing into Teams, there are several posts from users who say that they don’t have Microsoft Authenticator and/or uninstalling it didn’t change anything for them. I have both Microsoft Authenticator and Microsoft Teams on my phone and it works without a problem. That is, of course, anectdotal data, but so are the posts about uninstalling Microsoft Authenticator, as well as the posts about not having it installed at all and having the same/similar problems with Teams.

That article seems to be a bit dated and likely no longer applies.

I also have been using both apps on my Android phone with zero issues, i think for over a year now IIRC.

1 Like