✅ TOTP Screenshot feature

For what its worth: I have just encountered a QR code that has no text-based TOTP key, in an environment where I have access to bitwarden but not my phone.

It’s disheartening to see this feature not being implemented. The people who will benefit from this feature are the paying and loyal bw customers. It would really be appreciative of them to implement something like this.

For anyone interested, I wrote a quick utility to address this for myself. This relies on the ZXing JS library and the unpkg CDN to print out the TOTP URI to the DevTools console. Make sure you understand the risks involved.

Some knowledge of JavaScript and browser DevTools is necessary.

Usage:

  1. Install the browser userscript manager of your choice (e.g., Tampermonkey or Greasemonkey).
  2. Add the below script to a new userscript for all sites.
  3. Select a QR code img element in the browser DevTools (e.g., with Ctrl+Shift+C in Chrome: Open Chrome DevTools - Chrome Developers).
  4. Run qrTools.decodeQrCode() in the DevTools console.
window.qrTools = class QrTools {
        loadedScripts = [];

        async decodeQrCode(element = $0) {
            if (!(element instanceof HTMLElement)) {
                throw new Error('The given element is not a recognized HTML element.');
            }

            // Work around ZXing bug: Image is handled as a video unless videoWidth === 0
            if (element instanceof HTMLImageElement) {
                element.videoWidth = 0;
            }

            await this.loadScript('https://unpkg.com/@zxing/[email protected]');
            const codeReader = new ZXing.BrowserQRCodeReader()
            const decodeResult = await codeReader.decodeFromImage(element);
            console.log('Decode result:', decodeResult.text, decodeResult);
        }

        async loadScript(src) {
            if (this.loadedScripts.includes(src)) {
                return;
            }
            const scriptEl = document.createElement('script');
            scriptEl.type = 'text/javascript';
            scriptEl.src = src;
            document.head.append(scriptEl);
            await new Promise((resolve, reject) => scriptEl.addEventListener('load', () => resolve()));
            this.loadedScripts.push(src);
        }
}

Big +1 from me; I don’t really want to be tethered to Android (or iOS).

Feature function

It’s quite annoying to have to take your phone out to scan the QR code and then resynchronize the extension.

I suggest to do it directly from the extension.

Is there any update on this? When it comes to convenience and ease of use, BW is definitely behind the competitors and getting worse.

@bw-admin is there any news about the implementation of this feature?

Even Yubico Authenticator has this feature! (and that is about as minimal app as it comes.)
There is really no excuse that bitwarden doesn’t allow desktop users to scan QR codes.
Get off the pot, write the code, figure out the licensing and get it done already! I shouldn’t have to vote this into existence.

When is this feature going to be implemented? I have just recently sign up with Bitwarden, but I am thinking about moving to another software because this feature is not implemented.

As convenient as it is I would advise everyone to NEVER store your TOTP info in BW (or any other password manager). The whole point of TOTP is if your password manager becomes compromised the attacker won’t have everything they need to log in to your accounts. You should keep your TOTP info in another app entirely (Authy, Google Authenticator, etc.). For the same reason I would use a strong password for my primary email account and NOT store that in a password manager either since usually your email account would be used as part of password recovery for a login. TLDR: Don’t keep all your eggs in one basket.

@FrostedRoses Your suggestion is irrelevant to the discussion and not appropriate.

While it is a common suggestion, firstly, I don’t trust any of the apps you mentioned as they are not open source and are just a side business for their maintainers (e.g., Twilio’s main business is actually SMSes and calls), and secondly, none of them support exporting your data properly. None of them have been audited to check if their claims of encryption are actually any good.

And essentially, you’re suggesting we use 2 different password managers (the TOTP secret is kind of like a password - just hashed before it’s sent to the server instead of after) - I cannot think of a realistic scenario where one of the password managers could be compromised and the other one not, as the most likely way of getting in is social engineering or physical device access.

I use a security key for my important accounts, and Bitwarden for the TOTP of my 200+ non essential accounts, it is not worth the effort for me to use two password managers.

I’d just suggest you not to hijack this thread to tell people to use two password managers. I don’t use two locks on my doors either.

1 Like

@prajaybasu I completely agree with what you just said. @FrostedRoses I recommend that you use 2 hardware security keys (one master and one backup) to access your account and obviously a strong master password. Don’t rely on the third-party apps you mentioned, as most of them are not open source or even audited through third-party audits. See this news about an app you mentioned Twilio says breach also compromised Authy two-factor app users

3 Likes

I was trying to add a MFA key to my Bitwarden iOS app, and I could only either scan the QR code, or enter the key. The key could not be copied from the website because it was poorly made, and the QR code was on the same device that I was trying to set up the MFA on, so there was no way I could scan it. I think it would be cool to have an option to add a QR code from a screenshot.

@Nemanja Welcome to the forum!

I merged your feature request into this existing feature request thread. As you can see from the comment above yours, there is already progress on implementing this functionality.

Hi,

a Scan QR-Code Feature for adding 2FA/TOTP to an Login would be nice.
This is something i like in 1Password.

Greetings

My PR on this now is through the review rounds and got merged:

Should be included in one of the next releases, enjoy!

1 Like

Due to the time of merge, this will be included in the 2024.2-release

4 Likes

Closing this now, as the feature is included in the 2024.2-release.

Big thanks again to @Quexten for working on this :heart: :rocket: