this post was submitted on 02 Mar 2024
19 points (91.3% liked)

Open Source

31088 readers
729 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Does anyone know why there are no dedicated Authenticator apps made by for example Proton or Bitwarden?

I’m aware that they have TOTP baked into their password managers but you still need to have at least one separate solution to log into your vault.

top 17 comments
sorted by: hot top controversial new old
[–] [email protected] 8 points 8 months ago

I have a yubikey for the Bitwarden vault as second factor

[–] [email protected] 6 points 8 months ago (1 children)

Why do you need that? Just use one of the already existing ones like Aegis.

[–] [email protected] 1 points 8 months ago

When have more options become a bad thing?

[–] [email protected] 3 points 8 months ago* (last edited 8 months ago) (1 children)

Bitwarden has otp built in but you have to buy premium. Totally worth it.

[–] [email protected] 2 points 8 months ago (1 children)

Should probably mention that premium is only 10 bucks a year. I also don't just pay for the feature itself but also to support Bitwarden, it's completely free and open source after all.

[–] [email protected] 1 points 8 months ago

Same. 10 bucks is a steal.

[–] [email protected] 2 points 8 months ago

The best authenticator is https://github.com/jamie-mh/AuthenticatorPro

FOSS.

Didn't realise you could have a good authenticator until I used this.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (2 children)

I keep google authenticator around just to store bitwarden's totp. But I also store bitwarden's totp inside bitwarden, so I can use bitwarden's mobile client to get bitwarden's totp when I log into bitwarden on another device.

[–] [email protected] 4 points 8 months ago (1 children)

That's what I'd recommend. Why Google and not Aegis or another non-Google FOSS app?

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

Nothing in particular, all my totp was in google authenticator and over the years I migrated them all to lastpass then bitwarden, and the only thing left there is now bitwarden totp.

[–] [email protected] 1 points 8 months ago

Sound like a 'yo, dawg'-meme

[–] [email protected] 1 points 8 months ago

Kinda think its to keep costs down. They already have their builtin totp generators so making a separate application seems kinda redundant. Unless you mean why they don't make their own hardware security key? That's probably also to keep costs down (materials, vendors, marketing, upkeep, etc...). I would also like to have a rival with the same credibility for yubikey though in case something happens to the company.

[–] [email protected] 1 points 8 months ago (1 children)

Why do you need a separate one?

[–] [email protected] 6 points 8 months ago (1 children)

Because if - if - your master password database gets breached, having your TOTPs in a separate vault is the difference between

Shit, they got into my stuff which doesn't support TOTP

and

Shit, they got into everything

[–] [email protected] -1 points 8 months ago* (last edited 8 months ago) (1 children)

No. If anyone has access to your email or master password, they can simply reset any other account. How would your difficult (one time used) password of protonmail be leaked? Proton doesn't have it. Only if you've got powerful malware on your device and then it doesn't matter in which app your shit is stored.

[–] [email protected] 6 points 8 months ago* (last edited 8 months ago) (1 children)

What? No. That depends on the site in question. If you have 2FA, the site should not let you reset your password without that 2FA - it's one of the major points of even having 2FA. If a website lets you reset your password without the multifactor auth you set up, they're doing it wrong.

Edit: to be clear, we're talking about having your multifactor auth in the same vault as you keep your passwords. That's fine to do as long as your vault doesn't get breached. If you do get breached, having your TOTP secrets in a different vault will help keep at least some of your accounts safe.

[–] [email protected] 3 points 8 months ago* (last edited 8 months ago)

I think they are suggesting the abality to reset 2fa for a service if they have access to your email.

Let's say your database contains your email service, and bank account without 2fa. Let's also assume they got acess to your email through a sham site that had you type credentials in and 2fa.

Hacker gets database.

They can login into your email and use the recovery code the bank send to your email for "lost my 2fa". (And delete the mail notifications as they come in, hopefully before you catch on)

A bank (should) have additional steps such as phone number, or a real recovery key you were supposed to write down, but a random online store or entertainment site will probably will just reset the 2fa and the hacker can go from there.

Realsisticlly we should be using at least 3 password database files with different master passwords for better security.

  1. Account logins and passwords
  2. TOTP
  3. Any 2fa recovery keys.

However in practice, that is a pain in the ass and if someome has taken the time to breach your 1 specific database instead of going after easier targets, they probably have all your databases.