I use Authy and it suits my needs very well. Speaking from a security viewpoint it weakens your overall situation when you use ONE device to accomplish a connection with a 2FA handshake! My scenario means I grab my Android and acquire the TOTP for the website AFTER BitWarden has provided the user and password. Its the classic convenience vs security debate I know. I think some would allow for a one device (BW) connection for the sake of speed and ease. I wouldn’t use it for the reason I stated earlier.
Still, I can visualize why some would want this feature. Realize that either approach is far inferior compared with U2F, which I use in every location that supports it.
Also for maintenance reasons, why not just adding an extra type (in the app / extension, etc.), besides current types (Login, Card, Identity, Secure note)? Then you just open this type and see all your verification codes…
This is a “what if your computer is compromised” situation. Trying to limit the blast radius by not having your TOTP secrets store locally.
If you’re computer is compromised, there is much more they can do without even gaining access to your secrets. It is a benefit and is best practice, but ultimately a lot of work for little actually gain in security.
Once many of the other features are implemented, I would vote for this in a heart beat. But until then, I’d personally vote for other features.
I’m hoping U2F will become the norm.TOTP was a great stop-gap. I can’t wait to put it out to pasture.
It acts as a cloud based 2 factor authenticator as an alternative to Google authenticator and Lastpass authenticator
Another app can help users to login on other accounts they have set up 2fa
And a new idea - unlike Lastpass authenticator, this one can have multi device support like desktops, browser extensions, and even web version of authenticator so that users can have access to their authentication accounts
For home use I use DUO Mobile, the free version - it works nicely. The paid version is too steep for the limited usecase of only securing BW, and that I think is a problem. “Free is not free”, people (like me) coming from a bitwarden competitor learned it the hard way anyhow.
I am not sure this would be essential. There are like a dozen third party app that handles 2FA already. Bitwarden is a rather small team, so I feel that an authenticator app would probably take resources away from other features.
Besides, premium Bitwarden would have TOTP built in. The only place where you would essentially need a separate 2FA app would be to 2FA for bitwarden itself. An app like DUO would serve the same purpose and wouldn’t have the vulnerability Last Pass authenticator has.
OK I am going to address some comments from other people.
Authenticator app should definitely be free. Bitwarden needs to grab market share. People have to authenticate, and the other apps are pretty much all garbage. There’s something different wrong with each one of them. The UI’s and features are compromised one way or another.
Authenticator app should definitely be a separate app. People search for authenticators to have a single app that does what they want. To avoid being annoying to those who just want authenticator, it should be separate, but should internally make it clear (but not annoying) that Bitwarden also exists. To drive some traffic to Bitwarden, they should offer a limited time discount (like idk 1 month free of premium or something).
Authenticator app should hide codes. This is a security problem with Google authenticator.
Authenticator should fit more than 3 websites on screen in a phone app. This is a problem with OneAuth (from Zoho).
Authenticator should offer MFA push notifications on all sources (if possible. I’m not sure how this works).
Authenticator app should include favicons/logos for each domain. This is a problem that Google has. Theirs is pictureless.
Authenticator app should have a background for each favicon that contrasts with the favicon (especially in dark mode). Or find some other graphical way to protect against icons with identical colors to the background. Heck, put them inside a rounded box. Who cares? This is a problem that Authy (Twilio) has.
Authenticator app should have larger icons for icons that are in a non-square aspect ratio (i.e. fit in a rectangular bounding box). This is a problem Authy has.
Authenticator app should allow easy copying with clear indication that the code has been copied.
Authenticator app should NOT consume large amounts of storage space. It’s an authenticator app, not the next Java runtime environment! Microsoft authenticator fails massively in this respect. This also slows down opening and operating the app, and cripples battery life on phones. This is why I don’t use MS Auth for anything besides my Microsoft account.
Authenticator app should support more than just the phone! This is a problem with virtually all of the other authenticators, and with Bitwarden’s familiarity with cross-platform dev, I see this as a huge strength for their prospects as a competitor.
Authenticator app should offer storing keys in the cloud. Yes! I know the Sec Ops guys are cringing out there, but this feature is very useful: why? here:
What happens when your phone gets stolen? I ain’t going down because some jackass thought my phone was cool!
What happens when I transfer my account from iOS and wipe the device and accidentally forget to transfer an authenticator app that wasn’t visible on my home screen?
Or what happens when Bimbo Baggins grabs my phone and decides it’s time for it to die?
What happens if I jump off a high ledge while swimming and my phone gets smashed?
What happens if I swim a little TOO deep while looking for the shark from Finding Nemo off the coast of Sydney, Australia? (And yeah, before you say that’s ridiculous, you live in USA, when will that ever happen–I have in fact traveled to Australia for an extended period and gone swimming in the coral reefs before).
What happens if my phone gets lost? I’m no genius…that sh*t happens.
Long story short, include all the features, and choose a fleshed out but not too flashy or wonky widget toolkit, and you’ve got yourself a steady stream of new customers.
You guys have done it before, you can do it again. Keep the plan simple, don’t combine one product with another. Make them cooperate, like a good little UNIX command using the pipe metaphor. Make it happen!
If any of you feel like this should be a separate post, lemme know!
Oh, and last thing: make sure you guys hire someone on Fiverr to make a good logo for you. It’s cheap, it’s effective. And it sure beats trying to learn that skill set yourself.