Free TOTP for bitwarden.com

Feature name

  • Allow TOTP generation for free for a Login entry with the URL bitwarden.com

Feature function

  • In the interest of security, allow free accounts to use TOTP generation for bitwarden.com.

Int the interest of security there are numerous free alternatives. You pay Bitwarden for the CONVENIENCE of having it in one place with your passwords.

Btw, others even believe it is in the interest of security to NOT store TOTP tokens with passwords.

6 Likes

I happen to be one of those that prefer separate storage locations for my TOTP as well. When I am logging into a TOTP site I bring up Authy on my Android and use that along with my BW vault. No person could honestly believe two separate devices is not a more secure way to handle such an issue. Convenience has to have a stopping point, so I’ll stick with BW on my laptop and TOTP on my Authy devices.

2 Likes

It is easier to cheat as well. Create many entries with bitwarden.com as URL. So we have to support the developers right for providing a free and open source password manager. So pay $10 and use for all entries.

1 Like

I use Authy for 2FA but I store my backup codes in Bitwarden which defeats the purpose of using Authy. I don’t know where else to store my backup codes.

1 Like

The most obvious way to safely and securely store backup codes would be in a second, separate password manager. Be it a second bitwarden account, a LastPass account or a KeePass database.

Since you would only rarely need the backup codes, the (offline) KeePass database would do.

2 Likes

That assumes that both devices are equally secure, so it is debateable. There are circumstances where it is arguable that it is more secure to have such things on a device which is thoroughly secured. A computer were a security key is needed to boot it would be an example, assuming that it was also suitably protected against online attacks.

I have my doubts about the security of phone contraptions, whether they use an operating system from Apple or Google.

That is the case and it is for each person to decide the balance of risks for themselves.

Totp in the free plan
Enable TOTP code generation for free users.

Why

TOTP is very important to security right now, but the only foss cross platform TOTP generator is Bitwarden, but the feature is locked behind the premium version. There are a lot of people who don’t use totp for thier accounts because they want to use bitwardens TOTP support, but use the free plan. It wont impact your business much because most people I know that use Bitwarden use the premium version for the file support in send, and the yubikey support. This feature can greatly improve security of free users, at little to no harm to bitwarden. It could even make more people switch from Lastpass, which has a built in totp generator.

There is no other cross platform TOTP apps that are foss available, so bitwarden adding it will make many people switch to bitwarden, if more people switch, they will see the benefits of the premium plan, and there will be more premium users, not less.

I think I should answer some of the issues above:

  1. As for the cross-platform TOTP:
    On desktop: KeepassXC, Authy. How to use KeepassXC as TOTP
    On mobile: Authy, available for both iOS and Android.
    If you are on Android, Aegis is also good since it can backup your TOTP somewhere else.

  2. I am not a fan of putting both TOTPs and my passwords in Bitwarden. It will defeat the purpose of creating the TOTP itself. I use Authy most of the time, back up the TOTP online, and link everything with my phone number. How Authy 2FA Backups Work - Authy

  3. You should store the TOTP secret keys separately from your passwords. Should someone be able to access your secret key or TOTP QR code, he can generate the same TOTP as yours.
    More info here on stackexchange.

  4. Keep in mind that 2FA or TOTP is not bulletproof. Should your device is infected by malware, it can steal your TOTP.
    Read the news here: Android malware can steal Google Authenticator 2FA codes | ZDNet
    There already a case where a BW user was infected like this, his account was hacked and you can read that on Bitwarden subReddit here.
    The safer model would be to use different devices for TOTP and your password. For example, using the Bitwarden app on Windows and then Aegis on phone. Should your Windows computer is infected by malware, the malware cannot steal your TOTP on Android. And then vice versa.

I live in a 3rd world country. 1 USD is 20 of my currency, with 10 USD I can:

  • Get a lunch (not a great meal).
  • Half a bottle of a hard liquor.
  • Half a cheap cellphone data plan.
  • A shirt

Anyway, the point is… even in the 3rd world, 10 USD is like a Coke/coffee per month, you don’t buy one in a month?. If you have a Computer and/or cellphone chances are that you have a carrying bag for the computer or a case for the phone in order to protect them, those are more expensive for a single device than 10 USD for ALL OF YOUR ONLINE ACCOUNTS.

Now if you feel 10 USD is not worth it or more things should be baked into the free tier… you have a strange scaling perspective. I’m a paying customer more than a single account and all of them as individual accounts to keep development going.

Why? I’m a programmer too and writing code puts bread in my table, roof on my head and a book on my kid hands, I know how frustratingly hard is to bug-hunt, and listen to customer nonsensical blabbing while smiling and assuring them everything’s gonna be fine. If anything the free tier is giving too much and the paid tier should be a little pricey IMO.

Also I don’t see how adding more benefits to the free tier being the cheapest Password manager on the market can attract more customers. If you are paying the heavier price tag of other manager is because they fit your usage case and because BW is not the alternative that suits your needs.

Nor Bitwarden or any other piece of software ever written is a silver bullet.

5 Likes

But theres no other cross platform foss totp app that syncs and not syncing is a huge problem, it makes it very easy to loose your totp seeds

Then cough up $10. Sounds like it would be good value for you.

4 Likes

You know that TOTP is actually one fairly simple algorithm? You can write your own.

Or you can have all of your Key URIs in a plain text file encrypted with let’s say GPG then use them with something like oathtool.

I have the base32 secrets for each of my TOTPs in several places, not because of backup purposes but because I have a messy setup.

At the very end you can have a plain file simply zipped with encryption synced in any cloud service of your liking.

iCloud Keychain Gets Time Based One Time Passwords, so maybe it’s time to make this feature available for Free users as well to stay competitive?

This site has to be paid for somehow. 10 bucks is incredibly inexpensive. You can’t or at least shouldn’t give away all the perks for free OR why would anybody want to be a premium/preferred customer?

Possibly structure the code so a “free” version enables ALL features for 30 days to let someone have a complete test drive. After that pay or lose the perks/features. This is a business after all. People that always want everything for free will never support this operation. My .02

1 Like

Here’s an article explaining the feature mentioning Bitwarden costs money:

Bitwarden may still have the advantage if users also use devices outside the Apple ecosystem.

I’ve always been a Premium subscriber but not an average user I guess. But I feel the lack of TOTP in free is now a hurdle to on board new users. There are plenty of Premium features left, for instance the support of a Yubikey.

But would on boarding new users encourage Premium accounts? Jury is out no matter which opinion is expressed. To me, a better middle ground is to offer 30 days “full everything” for FREE ------- > but after that period then you don’t get Premium features for free. If you can’t make that decision in 30 days I don’t think you will ever really be a long time Premium user!

Like you I am anything but a typical user. Just being 100% Linux puts me in “rare air”.

I vote for this. At least give a way to show the TOTP code manually for free users. And maybe auto complete should be premium feature. This 2FA is primary security feature nowadays. I doubt it would impact bitwarden earning in anyway.