Change display order of 2FA TOTP on verification codes screen

Hey all - I’m migrating over from LastPass and just imported my vault and 2FA secrets. It looks like the TOTP verification codes are displayed in alphabetical order by site name in the Android app. For me that means I have to scroll to find the codes I use most frequently and the ones on the first page are those I use once a year or less. Is there a way to manually change the order? LastPass Authenticator let me do this.

Thanks for the feedback, I’ve changed this one to a feature request :+1:

Hi @wmhunter and welcome to the community!

When do you find the need to manually lookup TOTP codes? I ask because I rarely have to lookup a TOTP code.

The general workflow I use with TOTP codes in a browser is the following:

  1. Go to the login page for the website I’m logging into.
  2. Use Ctrl-Shift-L to fill-in the username and password.
  3. Submit the page and see a new page to enter the TOTP code.
  4. Use Ctrl-V to paste the TOTP code, since Bitwarden already copied it to the clipboard.
  5. Submit and I’m done.

You can find more details here:

Does that help you at all?

Ordering codes like LastPass Auth and Google Auth or pinning them (my preference) like Yubikey Authenticator would be helpful. Especially if you are using the Apple Watch app so you aren’t constantly scrolling.

This was my workaround to pin: I simply put a space in front of the items I wanted at the top and it pushed them to the top.

@RogerDodger tip is important for LastPass refugees like ourselves. It’s a great Bitwarden feature and the one I most use now. Most efficient possible workflow. Pinning to copy or view is my secondary option.

Thanks for the quick replies and the tips! @222 I’ll try the space trick if scrolling gets too annoying.

@RogerDodger I didn’t realize I could access my TOTP codes from the desktop browser extension, that’s really convenient! Does it work the same way when I autofill on Android? Otherwise I’ll still have the issue on mobile.

I admit it kind of wigs me out to see my TOTP codes on the desktop because that means it’s no longer two-factor authentication, but I guess that ship had sailed as soon as I started backing up TOTP secrets to the cloud.

Yes, as long as you have Copy TOTP automatically turned on in the Bitwarden Android App.

1 Like

You can think of it as the 2FA for your Bitwarden login acting as the second factor for all of your logins that have stored TOTP keys; for a device that is already running a logged in Bitwarden client, the device itself acts as the second factor. This requires you to you have good opsec and to not leave your vault unlocked when not in use.

1 Like

This is what you can do to mitigate this risk:

  1. Vault setting to Lock “Immediately.” When it locks, it scrubs the unencrypted version from memory immediately. Personally, I would never set my lock to anything above 30 seconds or 1 minute. It’s not necessary.
  2. Have a separate Bitwarden 2FA that isn’t described or set within your vault. For example, my vault doesn’t have a Bitwarden login file at all. No password, not 2FA. I use only a security key for Bitwarden, email, and a couple of other mission critical services. All the TOTP within my vault are for services that aren’t mission critical and it won’t be a disaster if there is a breach.
  3. You need to ensure you have anti-virus/malware software installed. You can have the most secure desktop in the world that has an encrypted SSD and security key login. But, if malware gets loose, you’re owned and no password manager is safe.

Separately, you will like the automatic copy of the TOTP code when you autofill. The Ctrl/Command+V paste creates a very fast workflow. Just make sure your Clear Clipboard setting is set to erase it in the shortest amount of time.

1 Like

…well, technically, there may be a delay of around 10 seconds.

10 seconds??? You have to kidding me! I’m moving to 1Password!

I hope you’re being facetious, but it’s hard to tell these days…

I believe that memory is cleared immediately in the Desktop app, for example, but that short delays persist with some of the browser extensions. This has to do with the challenges in controlling garbage collection of freed memory in browser extension processes. Bitwarden is still working on determining if there are ways to improve this performance. You can read about it in this comment on Github Issue #3166 and in subsequent updates posted in the comment section for that issue. The 10-second delay is also explained/disclosed in the Help Center Security FAQs section.

Yeah, it was a joke. Just referencing those threads where people say, “If you don’t make Bitwarden like 1Password, I’m leaving for 1Password.” Umm, you could have just saved yourself time and started there.

10 seconds in the world of browsers, extensions, and countless variations of different hardware is completely understandable. Appreciate the links to the references.

1 Like

Thanks for clarifying. If you had said “I’m moving back to LastPass” I would have known you were kidding! :rofl:

Hmm, this works in the iOS app, but the Apple Watch app (where I really need this) seems to ignore leading spaces when sorting.

I use 2FA with ssh, so I can’t use the browser autofill - I need to type in the code in the terminal and it’s tedious to scroll through all the items on my watch to find the handful that I need to use many times each day.

A blank space at the beginning of the Name field does push the item to the top on my Apple Watch. That’s how I use it daily when auto copy of the TOTP can’t be used.

OK, I was able to get it to work by naming my items starting with .0, .1, .2, then turning off sync, opening bitwarden on the watch, then turning sync back on and opening again - and now they are sorted.

You reminded me of how I got it to work. After I set the blank space in BW, I had to uninstall BW on the Apple Watch and then reinstall it for it to appear. You should find that does the trick.