I use Bitwarden.
It offers TOTP.
Is that the same thing as using a standalone authenticator like authy or Bitwarden Authenticator?
I believe so, yes, though as others have pointed out it’s probably better to use Authy or Google Authenticator than storing your 2FA codes in BitWarden along with your passwords
In theory all implementers of TOTP for 2FA should implement it identically if they follow the standard.
Thanks everyone.
Not storing 2fa info in my password manager makes sense.
Authy has discontinued desktop.
So that leaves me with either
- Google Authenticator
- Microsoft Authenticator
-Bitwarden Authentication app
Any votes for either one? Or are they all basically the same?
Yeah, I hate that authy discontinued the desktop app. But I still use it because I don’t want to deal with migrating my tokens.
However, I do use Bitwarden for my passwords, so that one is already off the table. Not putting all of my auth in one basket.
Yes, we are looking for a decent desktop based authenticator for work. It is now a legal requirement for all online accounts to use MFA, if they are being used for business*, and most of our employees don’t have a company phone and they don’t want to use their private ones for business purposes - most don’t even have an Authenticator app on their phones, anyway.
(*) we fall under NIS 2 for critical infrastructure, which means that MFA is no longer “nice to have”, but an actual requirement.
Thanks for the detailed response.
What is the seed code?
In essence a TOTP code is calculated by:
TOTPCode =
Extract6DigitsFrom(
GenerateSecureHashOf(
SeedCode() // unique to you and known to both sides (like a password)
concatenated to
QuantizedRepresentationOfCurrentDateAndTime() // quantized to units of 30seconds
)
)
Does it use SHA256 hash algorithm?
No it does not. I posted a link to the standard above. It uses a HMAC based on SHA1. It uses the seed value as the key portion of the HMAC and the time portion as the data. You could use a different HMAC algorithm, but doing so would make it incompatible with the standard and thus all of the TOTP clients in existence.
I am using Google Authenticator for my private 2FA. At the company, SOME Azure accounts seem to require the usage of the Microsoft Authenticator specifically, while other Azure accounts (older ones?) are working with “regular” TOTP via the Google Authenticator.
So, there is a difference between those two, but I can not tell what actually makes the difference.
Google and Microsoft both use the standard TOTP plus their own proprietary system, which does not require a password, but send the authenticator a request and the user has to select the number from a list (private account) or the user has to enter the number (business/school account) and the authorisation is then sent back to Google/Microsoft to release the account.
Both authenticators can also be used for standard TOTP accounts as well and display the rolling number for that account. I’ve only seen MS accounts using the MS Authenticator in the last 3-4 years, I’ve not tried to set it up with a different authenticator, so I don’t know if that still works or not, as an option (my private account is from 1996 and my work account from 2019 and both use the fully passwordless method.).