Which 2FA system is best for BitWarden (Android/PC)

I have just switched to Bitwarden from L**Pass and like what I see.

One thing I am unsure about is which 2FA system is best to protect my account. (Needing something for Android and PC)

I’ve looked at both Authy and DUO, both of which have an alarming number of low-star reviews in the Play store saying basically that the app has gone wrong and users are locked out of whatever it was protecting.

A yubico hardware key is probably the best, but then that would prevent me from logging into BW on my work laptop as for security USB ports are disabled!! This might also be a problem with public shared computers elsewhere, e.g. airport lounges.

Sending a code to email would be an issue if I wish to secure my email with a stronger password and BW!!

For all its faults, L*Pass at least had its own authenticator system which worked reliably.

The options are listed in order of preference at Two-step Login Methods | Bitwarden Help & Support and that is a good guide. “Best” is subjective and you have not defined what criteria you would use, so that guide is the best that can be done.

The fact that on your work laptop USB ports are disabled is not something either Bitwarden or those of us here can do anything about. The policies of your work are something you must discuss with them, if you wish, but security keys are by far the best method of securing accounts. There is nothing to stop you using security keys on your own devices. I have no idea whether you can install Authy on your work computers but, assuming you can, you can use Authy to secure your account on them while using a security key on your own devices.

Low star ratings on review sites can be accurate or not. In this case I suspect that many of those giving them are upset for some reason. Both Authy and Duo are widely used and have never given me any trouble, but then I have read the instructions (unlike many who rush to whine about something). You will always find some whining on review sites, for whatever reason.

I agree with @Davidz that both Authy and Duo are reliable solutions. If your Android supports NFC you also might want to take a look at the YubiKey 5 NFC as a third option. Just make sure to have more than just a single 2FA option and to test all of them before you rely on them. Whenever possible avoid SMS and eMail.
By the way: I use all of these three options.

Two very sound bits of advice.

I would add that having backup copies of things like recovery codes is a very good idea (in most cases) too. Clearly these codes etc need to stored securely.

This point is probably only really understood by those of us who have managed to lock ourselves out of something:-( We realised that our memory is not infallible:-) Touch wood, so far, I have only managed to lock myself out of one account (my fault, not anyone else’s fault), but that does make me careful to do things like have more than one form of 2FA available. One exception to that is a Google account, where I do have Advanced Protection turned on and thus it would be a pain to access should I lose all my security keys.

I have looked at the both in the past. Both are actually pretty good solutions. Authy has a well thought out security model and they have great documentation on how they encrypt their seeds and how encryption is end to end. It is the simpler of the two to setup. What is also nice is that they have a desktop client and also apple watch client. What I don’t like is that it uses SMS to sign up, but they do have a way to mitigate someone hijacking your SMS.

Duo is cool because software that support due can get a prompt like google prompt. Instead of entering a code, you just press approve on your phone. It is however a bit more complicated to setup.

If you don’t have a need for multiple 2fa client, you can use something like AndOTP or Aegis. Both will allow encrypted backup but no syncing. I am using these solution because they are open source so there are no trackers and no extra permissions.

It has been my experience that TOTP complainers (Authy and other products) don’t have a clue about backing up their credentials. e.g. Google Auth gets hosed on your phone BUT you don’t have a backup to restore the TOTP code. Who’s fault is that? The complainers blame the software when their hosed phone (lost, broken, etc) is the issue. I have never had an issue with Authy! Of course we all prefer U2F (Yubi’s) as its the best. My Android works great with NFC and Yubi’s and that makes Bitwarden a “keeper” from head to tail, LOL!

Thanks everyone that’s very useful.

I didn’t know that you could use more than one system at a time.

It’s a good point that I wouldn’t be able to install any software on work computer either; I was assuming I would just need an Auth app on my phone and whenever trying to log in the app would spring to life on my phone and I approve or deny depending on whether I was actually trying to log in or not. This is exactly how it worked with LP! So I think that @paulsiu 's comment above about DUO sounds like the system that I need for my situation.

I know about the odd 1-star reviews, but I always look for an overall rating of 4+; still I can see how this sort of app is more complicated and more likely for a user to mess up by not reading the manual!

You should read the comments and review why they were given a bad review. A lot of system are rather complicated to setup even if they work well, so they get a 1 star because people can’t set it up. If you are technical mind, you may actually like the number configuration.

On the other hand, if you get a lot of unreliable access or my token was loss etc, you may want to stay away.

1 Like