Password plus totp

  • I am using Bitwarden’s free plan for managing passwords and other details
  • and 2FAS app for TOTPs

anyone using both of them together in one platform in FREE plan?
so it becomes easy to auto-fill both at the same time and from pc only

  • also throw some light on, if using TOTP in bitwarden, then how you are managing bitwarden’s 2fa totp…
    relying on biwarden’s recovery code…?

Let me know your system of management

To use Bitwarden PWM to generate TOTP code, you need a paid subscription.

If you use TOTP 2FA for Bitwarden, you need an extra 2FA app for it. The most secure way (but may not be the best for you) is to store the app’s encryption password outside of Bitwarden. If you store the app’s password in Bitwarden, you may run into the situation that you would need to use the Bitwarden 2FA recovery code, which would turn off your 2FA once used (not ideal if your password leaks and you happen to be under attack.) But this is a still workable arrangement generally.

You can use your Windows PC/Windows Hello as a WebAuthn 2FA for Bitwarden as a “backup.” You can do this in a free plan.

People don’t often recommend this, but I personally think it’s safe and viable to use an email account, used only for important account recovery, as a backup 2FA method for Bitwarden. Also, keep the credentials for this account outside of Bitwarden.

People who want to maximize convenience and security often put 2FA secrets into their Bitwarden in a paid plan, and use multiple hardware keys as 2FAs for Bitwarden and at least all the important accounts (and not using TOTP for these accounts).

@the_red_kat @Neuron5569 To the question, what 2FA to use for the Bitwarden account itself: of course, this is subjective and everyone has to decide for themselves… but I did some testing the last weeks with the “FIDO2 WebAuthn”-2FA option of Bitwarden. You can actually use it very “wide”:

  • as @Neuron5569 stated you can add it in Windows Hello and I guess, this would work with MacOS (TouchID, FaceID ?!) as well

  • of course you can use it with e.g. a YubiKey (for a long time I thought, this was the only possibility)

  • but you can add an Android device as well (tested it on Android 13), and again, I guess it would work with an iOS device as well (tipp: I think for this you have to have a Bluetooth activated on the computer and the mobile device - and to get that on desktop computers, you e.g. can buy a small USB dongle to get Bluetooth to your desktop computer)

  • and who knows, where else it also works…

So I can imagine, that almost everyone could change to FIDO2 WebAuthn with the Bitwarden account’s 2FA (at least everyone who has a mobile device, I guess)… the phishing resistance would be a free security gain compared to TOTP/authenticator app. Actually, personally I find that pretty impressive, since Bitwarden made it part of the “free plan” and that you now have so much possibilities to use the FIDO2 WebAuthn 2FA-option for the Bitwarden account…

1 Like

Hi @Nail1684

but you can add an Android device as well (tested it on Android 13), and again, I guess it would work with an iOS device as well

I have Android 13, but I can’t figure out how to use it as a FIDO2 key. So, I try to add a WebAuthn key in Bitwarden; I give it a name and hit read key. Windows security pops up, and I select Android device. It turns on Bluetooth and gives me a QR code. My question is: what app on Android do I use to scan QR code to generate/register the FIDO2 credential?

When I log into BW web vault and get prompted for the WebAuthn, I again select Android, and it also turns on bluetooth and gives me a QR code. What app do I use to scan the QR code to authenticate?

Thanks.

Good question. It has to be the Android-built in-QR-code reader, which you should be able to open via the “menu” when you “move down” with your fingers from the top of the display of your phone. (I don’t know how it is called in English)

Not the best moment for the picture, but I think you get what I mean:

It should look like this or similar… And for those, who don’t find it: maybe you never used this QR-code scanner and the option is “hidden”… then you have to rearrange these options - tapping on the pencil you can see in my picture, far to the right next to the Android version number - so that you can use the Android-built-in-QR-code scanner then.

Same answer. :wink:

Hey, thanks for the detailed answers. The pictures work very well. Now I understand why I could never figure it out. My cheap phone OS supplants the Android/Chrome/Playstore QR scanner, with no way to supplant it. So there appears to be some Android 13 phones that don’t support the cross device FIDO2 functionalities.

1 Like

what are the web or desktop based TOTP options ?

Sorry, I have no clue, what exactly you mean by that :man_shrugging:

Some people have reported running Android 2FA apps on BlueStacks successfully; otherwise, Bitwarden (again, paid service) itself. Another option is to use a password manager like Keepass/KeepassXC which can generate TOTP code.

I am asking, what are the options of windows based application [or websites or extensions] for 2fa - totp for free
example: totp is available in bitwarden, but it is paid
and that is same case for rest of paid password managers
any 2fa totp app [or website or extension] for windows

I am thinking about switching to “safe in cloud 2” from BitWarden
pls share your views about features and security