this post was submitted on 19 Aug 2023
138 points (97.9% liked)

Open Source

31359 readers
210 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

If proprietary app is better and more robust I am willing to try it and assess it myself.

you are viewing a single comment's thread
view the rest of the comments
[–] peregus 26 points 1 year ago (3 children)

I don't think that it's safe to leave both authentication factors in a single app.

[–] dana 3 points 1 year ago* (last edited 1 year ago) (1 children)

It depends on your risk profile, but yes, it's less secure. For some people the convenience is worth the risk, for others maybe not. If you opt to store 2fa keys in Bitwarden you'd definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.

[–] peregus 3 points 1 year ago (1 children)

If you opt to store 2fa keys in Bitwarden you'd definitely want to enable 2fa for your Bitwarden account though, which brings us back to the same issue again.

With the risk of getting locked out if all your devices get logged out of Bitwarden! 🙈

[–] dana 3 points 1 year ago

To clarify, you'd want to enable 2fa for Bitwarden and store the token for that in a different authenticator app - that way you can still log in to Bitwarden without already needing to be logged in

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Why not? If you enable 2fa, chance that you'll save the recovery/emergency code in your password manager anyway (I don't think people would really write them down on a piece of paper and put them in their safe). Why use a separate authenticator app if your password manager can handle it all?

[–] peregus 1 points 1 year ago* (last edited 1 year ago) (1 children)

chance that you'll save the recovery/emergency code in your password manager

You're absolutely right about this and I need to find a solution.

Why use a separate authenticator app if your password manager can handle it all?

What if you get logged out from Bitwarden on all the devices? How can you get back in Bitwarden if you have 2FA enabled on that service? (And I hope that you do!)

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Believe it or not, I save my bitwarden 2FA on bitwarden too! I also save it on google authenticator, so I have it on two places. The reason I save it on bitwarden is to prevent losing access to the token if I lost my phone, because bitwarden allow you to unlock the vault without OPT on a know device/computer (it only ask for OTP when you login from a new device). So as long as I have one device with bitwarden, I should still be able to unlock the vault and re-login on a new phone using 2FA token from bitwarden on the other device. If I lost all my devices, then I'll have to dig the recovery code I hid and encrypted somewhere on my google account and my primary desktop, which is quite a pain so I hope I don't need to do this.

[–] peregus 1 points 1 year ago (1 children)

Beware that for important bug/problem/I don't know, you could be logged out from all your devices for security reason and in that case you can login only with 2FA even on devices where you were already logged in. Keep in mind that Aegis can create encrypted backups, but you'll have to upload them somewhere and I understand that with Bitwarden is easier.

[–] [email protected] 1 points 1 year ago

Well, as long as I don't lose the phone with Google authenticator, I should still be able to login to bitwarden without digging out the recovery code.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

This. It's not two factor if both factors are stored together lol