Bitwarden Authenticator

Original Article ↗ Hacker News Discussion ↗

Backup, cloud security, and threat models

  • Initial Bitwarden Authenticator release stores secrets locally and relies on iOS/Android backup services, not Bitwarden’s own cloud.
  • Several comments are unclear how well iCloud/Android backups protect these secrets:
    • iCloud: end‑to‑end encrypted only if Advanced Data Protection is enabled (not available everywhere, and off by default).
    • Android: disagreement whether backups are fully E2EE or only “some” data is; behavior is described as fiddly and poorly documented.
  • Some see OS‑level, E2EE backups as an acceptable usability–security tradeoff; others argue that if 2FA is recoverable via a cloud account, security collapses to that account’s strength.
  • Threat models differ: some worry about governments and cloud providers; others just want protection from basic credential reuse, accepting cloud‑backed 2FA.

Syncing, desktop support, and lockout risk

  • Bitwarden Authenticator currently lacks multi‑device sync; roadmap mentions syncing to Bitwarden accounts, push 2FA, and recovery.
  • Lack of sync is a deal‑breaker for users afraid of losing a phone and being locked out; others argue non‑syncable OTP secrets bound to one device are closer to “real” 2FA.
  • Debate over desktop authenticators:
    • Pro: redundancy if a phone is lost, convenience when working on laptops.
    • Con: storing passwords and OTPs on the same computer undermines 2FA.
  • Some prefer separate, backup‑friendly TOTP solutions (e.g., KeePassXC, Aegis, Ente Auth, 2FAS); Authy is heavily criticized for vendor lock‑in and export limitations.

Bitwarden ecosystem, separation of factors, and trust

  • Built‑in Bitwarden TOTP is a paid feature and syncs via Bitwarden’s servers; the new app is free, account‑optional, and local/OS‑backup only.
  • Many don’t like storing TOTP in the same vault as passwords or even with the same vendor, citing “single point of failure” and potential for compromised updates.
  • Others accept this for convenience, especially when their Bitwarden account itself uses stronger MFA (e.g., hardware keys, separate TOTP).
  • Self‑hosting (Bitwarden server or Vaultwarden) is popular to reduce vendor/VC risk, referencing LastPass as a cautionary tale and concerns about future Bitwarden direction, outages, and past database‑corruption issues.

UI/UX and alternative approaches

  • Multiple complaints about recent Bitwarden UI changes (extra clicks, confusing defaults, inconsistent behavior on Android and extensions), though some workarounds via settings are shared.
  • Several users prefer FOSS or cross‑platform alternatives (Aegis, Ente Auth, 2FAS) that support encrypted backups and exports.
  • A minority argues TOTP itself is outdated and phishable, advocating WebAuthn/security keys instead, but most note that TOTP remains far more widely supported in practice.