I advise a few different organizations on their IT platforms and security processes.
I use a different BitWarden account for each of these – some are paid subscriptions, and some are Free accounts.
However, I now notice that I can use TOTP Authentication for website logins within all of these accounts. Is it now possible to have TOTP codes generated within Free accounts?
The real reason for this question is that for one organization with a large all-volunteer user base, we would like to recommend BitWarden as a comprehensive personal password management solution. But with the increasing requirement of MFA/2FA for many platforms, we need to be able to recommend a tool that can be used to generate MFA codes, but where we are not requiring these volunteers to sign-up to a paid subscription. (Many will certainly move over to paid plans, but we can’t require this.)
Is this now possible with BitWarden?
(If not, is there another explanation as to why some of my free accounts now seem to be allowing me to use TOTP codes? I am quite sure that they didn’t use to do this.)
Bitwarden has slightly revised the logic around how TOTP codes generate.
Previously, TOTP codes generated if they were owned by a user with Premium, or by an organization that grants TOTP generation (Enterprise, Teams, Families).
It’s not been updated to simply TOTP generates for users who have Premium.
Thanks for the update note to (part of) my question.
– I hope that does not, however, imply that TOTP is, in the future, only going to work for the accounts where I have a paid Premium/Team account. That would obviously create a lock-out for the services where I am using TOTP!
To my other – Primary – question, how about simply enabling TOTP for the Free version, so that we can recommend it as a comprehensive and effective MFA solution for all of our Volunteers? That would certainly increase user uptake for the service.
As long as you have an individual Premium plan (or a Premium plan provided by virtue of being a member of a paid Organization plan), then you will be able to generate TOTP codes for any items that you have access to (items in your individual vault, as well as shared items in organization vaults).
There is a feature request here:
However, I’m not sure that I understand your use-case. You mention an “organization”, but if it has a “large…user base”, then you must be talking about the volunteers using Bitwarden for their own individual logins, not for shared logins belonging to the organization. In that case, could the volunteers not just use the stand-alone Bitwarden Authenticator App?
The “organization” that I was referencing is a real people organization with nearly 1000 volunteers who may have access to some of our on-line resources. We are moving to enforce MFA for these logins.
At the listed costs, there is no way that we could fund the license fees for these users.
It would be ideal if we could point them to BitWarden as an all-in-one Password and Authenticator solution. Many would certainly see the larger scale value in having their own personal subscription.
There is some ongoing development work to make the stand-alone Authenticator App synchronize with the Password Manager App (per the Roadmap), but that is probably the closest you will get to an “all-in-one” solution.
Your other alternative is to support the feature request that I mentioned above.
The amount of functionality that Bitwarden already makes available for free accounts is unparalleled in the industry, and in my opinion, the “all-in-one” aspect is a convenience/luxury, not a necessity. If some of your volunteers place high value on the “all-in-one” aspect, perhaps they would be willing to part with 20 cents a week for this convenience.
I now see that the standalone BW Authenticator is able to sync TOTP codes with Password Manager:
this is a great new feature that really adds value for users of both tools.
The page states: “You can easily copy local codes into Password Manager, or keep them only accessible by Authenticator.”
To clarify, however, since both Authenticator and Password Manager are free tools, that the new Sync feature will essentially enable Free users to include TOTP codes that can then be used within the Password Manager?
Let me explain it this way: with a free BW account, you already can add (and access) TOTP seed codes (“authenticator keys”) in a login item in the BW password manager:
But it doesn’t produce the actual “TOTP verification code” that gets generated by the seed code depending on the current time (recognize, that the copy button also is greyed out):
So, you can transfer TOTP codes from the authenticator app to the password manager app – but if you still have a free BW account, the password manager app doesn’t generate the usable TOTP verification codes. (while the standalone authenticator app can do that with the seed codes)
Ok, so if I understand correctly, then a Free user would see that there is a synced TOTP code, but they would not be able to access that, and would have to revert to the Authenticator App.
However, once they upgrade to a Paid version, they will see the TOTP code in the Password Manager, Right?
The context here (as you can see from the start of this thread) is that we have a large pool of potential free users, and we want to make sure that we are giving them clear guidance on what they can expect with the free Auth and PM versions.
Maybe one additional thing I just “remembered” that might be relevant for you as well: the sync between authenticator app and password manager happens “locally”, on the device. Meaning: both apps must be installed on e.g. that Android or iOS phone.
(i.e. the authenticator app doesn’t just connect / sync with the BW cloud directly, but with the BW mobile app)
